@probelabs/visor 0.1.173 → 0.1.174-ee

package/dist/sdk/sdk.js

@@ -704,7 +704,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@probelabs/visor",
-      version: "0.1.173",
+      version: "0.1.42",
       main: "dist/index.js",
       bin: {
         visor: "./dist/index.js"
@@ -823,7 +823,7 @@ var require_package = __commonJS({
         "@opentelemetry/sdk-node": "^0.203.0",
         "@opentelemetry/sdk-trace-base": "^1.30.1",
         "@opentelemetry/semantic-conventions": "^1.30.1",
-        "@probelabs/probe": "^0.6.0-rc290",
+        "@probelabs/probe": "^0.6.0-rc291",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
         acorn: "^8.16.0",
@@ -939,50 +939,53 @@ __export(metrics_exports, {
   resetRunAiCalls: () => resetRunAiCalls,
   resetTestMetricsSnapshot: () => resetTestMetricsSnapshot
 });
+function getMeter() {
+  return metrics.getMeter("visor");
+}
 function ensureInstruments() {
   if (initialized) return;
   try {
-    checkDurationHist = meter.createHistogram("visor.check.duration_ms", {
+    checkDurationHist = getMeter().createHistogram("visor.check.duration_ms", {
       description: "Duration of a check execution in milliseconds",
       unit: "ms"
     });
-    providerDurationHist = meter.createHistogram("visor.provider.duration_ms", {
+    providerDurationHist = getMeter().createHistogram("visor.provider.duration_ms", {
       description: "Duration of provider execution in milliseconds",
       unit: "ms"
     });
-    foreachDurationHist = meter.createHistogram("visor.foreach.item.duration_ms", {
+    foreachDurationHist = getMeter().createHistogram("visor.foreach.item.duration_ms", {
       description: "Duration of a forEach item execution in milliseconds",
       unit: "ms"
     });
-    issuesCounter = meter.createCounter("visor.check.issues", {
+    issuesCounter = getMeter().createCounter("visor.check.issues", {
       description: "Number of issues produced by checks",
       unit: "1"
     });
-    activeChecks = meter.createUpDownCounter("visor.run.active_checks", {
+    activeChecks = getMeter().createUpDownCounter("visor.run.active_checks", {
       description: "Number of checks actively running",
       unit: "1"
     });
-    failIfCounter = meter.createCounter("visor.fail_if.triggered", {
+    failIfCounter = getMeter().createCounter("visor.fail_if.triggered", {
       description: "Number of times fail_if condition triggered",
       unit: "1"
     });
-    diagramBlocks = meter.createCounter("visor.diagram.blocks", {
+    diagramBlocks = getMeter().createCounter("visor.diagram.blocks", {
       description: "Number of Mermaid diagram blocks emitted",
       unit: "1"
     });
-    runCounter = meter.createCounter("visor.run.total", {
+    runCounter = getMeter().createCounter("visor.run.total", {
       description: "Total number of visor runs (workflow executions)",
       unit: "1"
     });
-    runDurationHist = meter.createHistogram("visor.run.duration_ms", {
+    runDurationHist = getMeter().createHistogram("visor.run.duration_ms", {
       description: "Duration of a complete visor run in milliseconds",
       unit: "ms"
     });
-    aiCallCounter = meter.createCounter("visor.ai_call.total", {
+    aiCallCounter = getMeter().createCounter("visor.ai_call.total", {
       description: "Total number of AI provider calls",
       unit: "1"
     });
-    runAiCallsHist = meter.createHistogram("visor.run.ai_calls", {
+    runAiCallsHist = getMeter().createHistogram("visor.run.ai_calls", {
       description: "Number of AI calls per visor run",
       unit: "1"
     });
@@ -1119,13 +1122,12 @@ function getTestMetricsSnapshot() {
 function resetTestMetricsSnapshot() {
   Object.keys(TEST_SNAPSHOT).forEach((k) => TEST_SNAPSHOT[k] = 0);
 }
-var initialized, meter, TEST_ENABLED, TEST_SNAPSHOT, checkDurationHist, providerDurationHist, foreachDurationHist, issuesCounter, activeChecks, failIfCounter, diagramBlocks, runCounter, runDurationHist, aiCallCounter, runAiCallsHist, _currentRunAiCalls;
+var initialized, TEST_ENABLED, TEST_SNAPSHOT, checkDurationHist, providerDurationHist, foreachDurationHist, issuesCounter, activeChecks, failIfCounter, diagramBlocks, runCounter, runDurationHist, aiCallCounter, runAiCallsHist, _currentRunAiCalls;
 var init_metrics = __esm({
   "src/telemetry/metrics.ts"() {
     "use strict";
     init_lazy_otel();
     initialized = false;
-    meter = metrics.getMeter("visor");
     TEST_ENABLED = process.env.VISOR_TEST_METRICS === "true";
     TEST_SNAPSHOT = { fail_if_triggered: 0 };
     _currentRunAiCalls = 0;
@@ -1150,11 +1152,11 @@ function getTracer() {
 }
 async function withActiveSpan(name, attrs, fn) {
   const tracer = getTracer();
-  return await new Promise((resolve15, reject) => {
+  return await new Promise((resolve19, reject) => {
     const callback = async (span) => {
       try {
         const res = await fn(span);
-        resolve15(res);
+        resolve19(res);
       } catch (err) {
         try {
           if (err instanceof Error) span.recordException(err);
@@ -1279,19 +1281,19 @@ function __getOrCreateNdjsonPath() {
   try {
     if (process.env.VISOR_TELEMETRY_SINK && process.env.VISOR_TELEMETRY_SINK !== "file")
       return null;
-    const path29 = require("path");
-    const fs25 = require("fs");
+    const path33 = require("path");
+    const fs29 = require("fs");
     if (process.env.VISOR_FALLBACK_TRACE_FILE) {
       __ndjsonPath = process.env.VISOR_FALLBACK_TRACE_FILE;
-      const dir = path29.dirname(__ndjsonPath);
-      if (!fs25.existsSync(dir)) fs25.mkdirSync(dir, { recursive: true });
+      const dir = path33.dirname(__ndjsonPath);
+      if (!fs29.existsSync(dir)) fs29.mkdirSync(dir, { recursive: true });
       return __ndjsonPath;
     }
-    const outDir = process.env.VISOR_TRACE_DIR || path29.join(process.cwd(), "output", "traces");
-    if (!fs25.existsSync(outDir)) fs25.mkdirSync(outDir, { recursive: true });
+    const outDir = process.env.VISOR_TRACE_DIR || path33.join(process.cwd(), "output", "traces");
+    if (!fs29.existsSync(outDir)) fs29.mkdirSync(outDir, { recursive: true });
     if (!__ndjsonPath) {
       const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-      __ndjsonPath = path29.join(outDir, `${ts}.ndjson`);
+      __ndjsonPath = path33.join(outDir, `${ts}.ndjson`);
     }
     return __ndjsonPath;
   } catch {
@@ -1300,11 +1302,11 @@ function __getOrCreateNdjsonPath() {
 }
 function _appendRunMarker() {
   try {
-    const fs25 = require("fs");
+    const fs29 = require("fs");
     const p = __getOrCreateNdjsonPath();
     if (!p) return;
     const line = { name: "visor.run", attributes: { started: true } };
-    fs25.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
+    fs29.appendFileSync(p, JSON.stringify(line) + "\n", "utf8");
   } catch {
   }
 }
@@ -3391,7 +3393,7 @@ var init_failure_condition_evaluator = __esm({
        */
       evaluateExpression(condition, context2) {
         try {
-          const normalize4 = (expr) => {
+          const normalize8 = (expr) => {
             const trimmed = expr.trim();
             if (!/[\n;]/.test(trimmed)) return trimmed;
             const parts = trimmed.split(/[\n;]+/).map((s) => s.trim()).filter((s) => s.length > 0 && !s.startsWith("//"));
@@ -3549,7 +3551,7 @@ var init_failure_condition_evaluator = __esm({
           try {
             exec2 = this.sandbox.compile(`return (${raw});`);
           } catch {
-            const normalizedExpr = normalize4(condition);
+            const normalizedExpr = normalize8(condition);
             exec2 = this.sandbox.compile(`return (${normalizedExpr});`);
           }
           const result = exec2(scope).run();
@@ -3932,9 +3934,9 @@ function configureLiquidWithExtensions(liquid) {
   });
   liquid.registerFilter("get", (obj, pathExpr) => {
     if (obj == null) return void 0;
-    const path29 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
-    if (!path29) return obj;
-    const parts = path29.split(".");
+    const path33 = typeof pathExpr === "string" ? pathExpr : String(pathExpr || "");
+    if (!path33) return obj;
+    const parts = path33.split(".");
     let cur = obj;
     for (const p of parts) {
       if (cur == null) return void 0;
@@ -4053,9 +4055,9 @@ function configureLiquidWithExtensions(liquid) {
           }
         }
         const defaultRole = typeof rolesCfg.default === "string" && rolesCfg.default.trim() ? rolesCfg.default.trim() : void 0;
-        const getNested = (obj, path29) => {
-          if (!obj || !path29) return void 0;
-          const parts = path29.split(".");
+        const getNested = (obj, path33) => {
+          if (!obj || !path33) return void 0;
+          const parts = path33.split(".");
           let cur = obj;
           for (const p of parts) {
             if (cur == null) return void 0;
@@ -6607,8 +6609,8 @@ var init_dependency_gating = __esm({
 async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" ? schemaRaw : "code-review";
     let templateContent;
@@ -6616,24 +6618,24 @@ async function renderTemplateContent(checkId, checkConfig, reviewSummary) {
       templateContent = String(checkConfig.template.content);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path33.resolve(process.cwd(), file);
+      templateContent = await fs29.readFile(resolved, "utf-8");
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source: output/
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs29.readFile(p, "utf-8");
             if (templateContent) break;
           } catch {
           }
@@ -7038,7 +7040,7 @@ async function processDiffWithOutline(diffContent) {
   }
   try {
     const originalProbePath = process.env.PROBE_PATH;
-    const fs25 = require("fs");
+    const fs29 = require("fs");
     const possiblePaths = [
       // Relative to current working directory (most common in production)
       path6.join(process.cwd(), "node_modules/@probelabs/probe/bin/probe-binary"),
@@ -7049,7 +7051,7 @@ async function processDiffWithOutline(diffContent) {
     ];
     let probeBinaryPath;
     for (const candidatePath of possiblePaths) {
-      if (fs25.existsSync(candidatePath)) {
+      if (fs29.existsSync(candidatePath)) {
         probeBinaryPath = candidatePath;
         break;
       }
@@ -7156,7 +7158,7 @@ async function renderMermaidToPng(mermaidCode) {
     if (chromiumPath) {
       env.PUPPETEER_EXECUTABLE_PATH = chromiumPath;
     }
-    const result = await new Promise((resolve15) => {
+    const result = await new Promise((resolve19) => {
       const proc = (0, import_child_process.spawn)(
         "npx",
         [
@@ -7186,13 +7188,13 @@ async function renderMermaidToPng(mermaidCode) {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve15({ success: true });
+          resolve19({ success: true });
         } else {
-          resolve15({ success: false, error: stderr || `Exit code ${code}` });
+          resolve19({ success: false, error: stderr || `Exit code ${code}` });
         }
       });
       proc.on("error", (err) => {
-        resolve15({ success: false, error: err.message });
+        resolve19({ success: false, error: err.message });
       });
     });
     if (!result.success) {
@@ -8354,8 +8356,8 @@ ${schemaString}`);
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const provider = this.config.provider || "auto";
               const model = this.config.model || "default";
@@ -8469,20 +8471,20 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              if (!fs25.existsSync(debugArtifactsDir)) {
-                fs25.mkdirSync(debugArtifactsDir, { recursive: true });
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              if (!fs29.existsSync(debugArtifactsDir)) {
+                fs29.mkdirSync(debugArtifactsDir, { recursive: true });
               }
-              const debugFile = path29.join(
+              const debugFile = path33.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.json`
               );
-              fs25.writeFileSync(debugFile, debugJson, "utf-8");
-              const readableFile = path29.join(
+              fs29.writeFileSync(debugFile, debugJson, "utf-8");
+              const readableFile = path33.join(
                 debugArtifactsDir,
                 `prompt-${_checkName || "unknown"}-${timestamp}.txt`
               );
-              fs25.writeFileSync(readableFile, readableVersion, "utf-8");
+              fs29.writeFileSync(readableFile, readableVersion, "utf-8");
               log(`
 \u{1F4BE} Full debug info saved to:`);
               log(`   JSON: ${debugFile}`);
@@ -8520,8 +8522,8 @@ ${"=".repeat(60)}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny2 = agent;
               let fullHistory = [];
@@ -8532,8 +8534,8 @@ ${"=".repeat(60)}
               } else if (agentAny2._messages) {
                 fullHistory = agentAny2._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path33.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -8545,7 +8547,7 @@ ${"=".repeat(60)}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -8572,7 +8574,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -8581,11 +8583,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const responseFile = path33.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -8618,7 +8620,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs29.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -8634,9 +8636,9 @@ ${"=".repeat(60)}
                 await agentAny._telemetryConfig.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${agentAny._traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(agentAny._traceFilePath)) {
-                    const stats = fs25.statSync(agentAny._traceFilePath);
+                  const fs29 = require("fs");
+                  if (fs29.existsSync(agentAny._traceFilePath)) {
+                    const stats = fs29.statSync(agentAny._traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::${agentAny._traceFilePath} (${stats.size} bytes)`
                     );
@@ -8849,9 +8851,9 @@ ${schemaString}`);
           const model = this.config.model || "default";
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
-              const os2 = require("os");
+              const fs29 = require("fs");
+              const path33 = require("path");
+              const os3 = require("os");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const debugData = {
                 timestamp,
@@ -8923,19 +8925,19 @@ ${"=".repeat(60)}
 `;
               readableVersion += `${"=".repeat(60)}
 `;
-              const tempDir = os2.tmpdir();
-              const promptFile = path29.join(tempDir, `visor-prompt-${timestamp}.txt`);
-              fs25.writeFileSync(promptFile, prompt, "utf-8");
+              const tempDir = os3.tmpdir();
+              const promptFile = path33.join(tempDir, `visor-prompt-${timestamp}.txt`);
+              fs29.writeFileSync(promptFile, prompt, "utf-8");
               log(`
 \u{1F4BE} Prompt saved to: ${promptFile}`);
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
               try {
-                const base = path29.join(
+                const base = path33.join(
                   debugArtifactsDir,
                   `prompt-${_checkName || "unknown"}-${timestamp}`
                 );
-                fs25.writeFileSync(base + ".json", debugJson, "utf-8");
-                fs25.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
+                fs29.writeFileSync(base + ".json", debugJson, "utf-8");
+                fs29.writeFileSync(base + ".summary.txt", readableVersion, "utf-8");
                 log(`
 \u{1F4BE} Full debug info saved to directory: ${debugArtifactsDir}`);
               } catch {
@@ -8985,8 +8987,8 @@ $ ${cliCommand}
           log(`\u{1F4E4} Response length: ${response.length} characters`);
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
               const agentAny = agent;
               let fullHistory = [];
@@ -8997,8 +8999,8 @@ $ ${cliCommand}
               } else if (agentAny._messages) {
                 fullHistory = agentAny._messages;
               }
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const sessionBase = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const sessionBase = path33.join(
                 debugArtifactsDir,
                 `session-${_checkName || "unknown"}-${timestamp}`
               );
@@ -9010,7 +9012,7 @@ $ ${cliCommand}
                 schema: effectiveSchema,
                 totalMessages: fullHistory.length
               };
-              fs25.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
+              fs29.writeFileSync(sessionBase + ".json", JSON.stringify(sessionData, null, 2), "utf-8");
               let readable = `=============================================================
 `;
               readable += `COMPLETE AI SESSION HISTORY (AFTER RESPONSE)
@@ -9037,7 +9039,7 @@ ${"=".repeat(60)}
 `;
                 readable += content + "\n";
               });
-              fs25.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
+              fs29.writeFileSync(sessionBase + ".summary.txt", readable, "utf-8");
               log(`\u{1F4BE} Complete session history saved:`);
               log(`   - Contains ALL ${fullHistory.length} messages (prompts + responses)`);
             } catch (error) {
@@ -9046,11 +9048,11 @@ ${"=".repeat(60)}
           }
           if (process.env.VISOR_DEBUG_AI_SESSIONS === "true") {
             try {
-              const fs25 = require("fs");
-              const path29 = require("path");
+              const fs29 = require("fs");
+              const path33 = require("path");
               const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path29.join(process.cwd(), "debug-artifacts");
-              const responseFile = path29.join(
+              const debugArtifactsDir = process.env.VISOR_DEBUG_ARTIFACTS || path33.join(process.cwd(), "debug-artifacts");
+              const responseFile = path33.join(
                 debugArtifactsDir,
                 `response-${_checkName || "unknown"}-${timestamp}.txt`
               );
@@ -9083,7 +9085,7 @@ ${"=".repeat(60)}
 `;
               responseContent += `${"=".repeat(60)}
 `;
-              fs25.writeFileSync(responseFile, responseContent, "utf-8");
+              fs29.writeFileSync(responseFile, responseContent, "utf-8");
               log(`\u{1F4BE} Response saved to: ${responseFile}`);
             } catch (error) {
               log(`\u26A0\uFE0F Could not save response file: ${error}`);
@@ -9101,9 +9103,9 @@ ${"=".repeat(60)}
                 await telemetry.shutdown();
                 log(`\u{1F4CA} OpenTelemetry trace saved to: ${traceFilePath}`);
                 if (process.env.GITHUB_ACTIONS) {
-                  const fs25 = require("fs");
-                  if (fs25.existsSync(traceFilePath)) {
-                    const stats = fs25.statSync(traceFilePath);
+                  const fs29 = require("fs");
+                  if (fs29.existsSync(traceFilePath)) {
+                    const stats = fs29.statSync(traceFilePath);
                     console.log(
                       `::notice title=AI Trace Saved::OpenTelemetry trace file size: ${stats.size} bytes`
                     );
@@ -9141,8 +9143,8 @@ ${"=".repeat(60)}
        * Load schema content from schema files or inline definitions
        */
       async loadSchemaContent(schema) {
-        const fs25 = require("fs").promises;
-        const path29 = require("path");
+        const fs29 = require("fs").promises;
+        const path33 = require("path");
         if (typeof schema === "object" && schema !== null) {
           log("\u{1F4CB} Using inline schema object from configuration");
           return JSON.stringify(schema);
@@ -9155,14 +9157,14 @@ ${"=".repeat(60)}
           }
         } catch {
         }
-        if ((schema.startsWith("./") || schema.includes(".json")) && !path29.isAbsolute(schema)) {
+        if ((schema.startsWith("./") || schema.includes(".json")) && !path33.isAbsolute(schema)) {
           if (schema.includes("..") || schema.includes("\0")) {
             throw new Error("Invalid schema path: path traversal not allowed");
           }
           try {
-            const schemaPath = path29.resolve(process.cwd(), schema);
+            const schemaPath = path33.resolve(process.cwd(), schema);
             log(`\u{1F4CB} Loading custom schema from file: ${schemaPath}`);
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch (error) {
             throw new Error(
@@ -9176,22 +9178,22 @@ ${"=".repeat(60)}
         }
         const candidatePaths = [
           // GitHub Action bundle location
-          path29.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
+          path33.join(__dirname, "output", sanitizedSchemaName, "schema.json"),
           // Historical fallback when src/output was inadvertently bundled as output1/
-          path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
+          path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json"),
           // Local dev (repo root)
-          path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
+          path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json")
         ];
         for (const schemaPath of candidatePaths) {
           try {
-            const schemaContent = await fs25.readFile(schemaPath, "utf-8");
+            const schemaContent = await fs29.readFile(schemaPath, "utf-8");
             return schemaContent.trim();
           } catch {
           }
         }
-        const distPath = path29.join(__dirname, "output", sanitizedSchemaName, "schema.json");
-        const distAltPath = path29.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
-        const cwdPath = path29.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
+        const distPath = path33.join(__dirname, "output", sanitizedSchemaName, "schema.json");
+        const distAltPath = path33.join(__dirname, "output1", sanitizedSchemaName, "schema.json");
+        const cwdPath = path33.join(process.cwd(), "output", sanitizedSchemaName, "schema.json");
         throw new Error(
           `Failed to load schema '${sanitizedSchemaName}'. Tried: ${distPath}, ${distAltPath}, and ${cwdPath}. Ensure build copies 'output/' into dist (build:cli), or provide a custom schema file/path.`
         );
@@ -9433,7 +9435,7 @@ ${"=".repeat(60)}
        * Generate mock response for testing
        */
       async generateMockResponse(_prompt, _checkName, _schema) {
-        await new Promise((resolve15) => setTimeout(resolve15, 500));
+        await new Promise((resolve19) => setTimeout(resolve19, 500));
         const name = (_checkName || "").toLowerCase();
         if (name.includes("extract-facts")) {
           const arr = Array.from({ length: 6 }, (_, i) => ({
@@ -9794,7 +9796,7 @@ var init_command_executor = __esm({
        * Execute command with stdin input
        */
       executeWithStdin(command, options) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           const childProcess = (0, import_child_process2.exec)(
             command,
             {
@@ -9806,7 +9808,7 @@ var init_command_executor = __esm({
               if (error && error.killed && (error.code === "ETIMEDOUT" || error.signal === "SIGTERM")) {
                 reject(new Error(`Command timed out after ${options.timeout || 3e4}ms`));
               } else {
-                resolve15({
+                resolve19({
                   stdout: stdout || "",
                   stderr: stderr || "",
                   exitCode: error ? error.code || 1 : 0
@@ -12669,6 +12671,22 @@ var init_config_schema = __esm({
               $ref: "#/definitions/SlackConfig",
               description: "Slack configuration"
             },
+            telegram: {
+              $ref: "#/definitions/TelegramConfig",
+              description: "Telegram bot configuration"
+            },
+            email: {
+              $ref: "#/definitions/EmailConfig",
+              description: "Email integration configuration"
+            },
+            whatsapp: {
+              $ref: "#/definitions/WhatsAppConfig",
+              description: "WhatsApp bot configuration"
+            },
+            teams: {
+              $ref: "#/definitions/TeamsConfig",
+              description: "Microsoft Teams bot configuration"
+            },
             scheduler: {
               $ref: "#/definitions/SchedulerConfig",
               description: "Scheduler configuration for scheduled workflow execution"
@@ -13442,7 +13460,7 @@ var init_config_schema = __esm({
               description: "Arguments/inputs for the workflow"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E",
               description: "Override specific step configurations in the workflow"
             },
             output_mapping: {
@@ -13458,7 +13476,7 @@ var init_config_schema = __esm({
               description: "Config file path - alternative to workflow ID (loads a Visor config file as workflow)"
             },
             workflow_overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E",
               description: "Alias for overrides - workflow step overrides (backward compatibility)"
             },
             ref: {
@@ -13642,7 +13660,11 @@ var init_config_schema = __esm({
             "manual",
             "schedule",
             "webhook_received",
-            "slack_message"
+            "slack_message",
+            "telegram_message",
+            "email_message",
+            "whatsapp_message",
+            "teams_message"
           ],
           description: "Valid event triggers for checks"
         },
@@ -14156,7 +14178,7 @@ var init_config_schema = __esm({
               description: "Custom output name (defaults to workflow name)"
             },
             overrides: {
-              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400%3E%3E",
+              $ref: "#/definitions/Record%3Cstring%2CPartial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E%3E",
               description: "Step overrides"
             },
             output_mapping: {
@@ -14171,13 +14193,13 @@ var init_config_schema = __esm({
             "^x-": {}
           }
         },
-        "Record<string,Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400>>": {
+        "Record<string,Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833>>": {
           type: "object",
           additionalProperties: {
-            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400%3E"
+            $ref: "#/definitions/Partial%3Cinterface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833%3E"
           }
         },
-        "Partial<interface-src_types_config.ts-13844-28438-src_types_config.ts-0-56400>": {
+        "Partial<interface-src_types_config.ts-14017-28611-src_types_config.ts-0-56833>": {
           type: "object",
           additionalProperties: false
         },
@@ -15036,6 +15058,260 @@ var init_config_schema = __esm({
             "^x-": {}
           }
         },
+        TelegramConfig: {
+          type: "object",
+          properties: {
+            bot_token: {
+              type: "string",
+              description: "Bot token from"
+            },
+            polling_timeout: {
+              type: "number",
+              description: "Polling timeout in seconds for getUpdates (default: 30)"
+            },
+            chat_allowlist: {
+              type: "array",
+              items: {
+                type: ["string", "number"]
+              },
+              description: "Chat/group allowlist - numeric chat IDs that the bot responds in"
+            },
+            require_mention: {
+              type: "boolean",
+              description: "In groups, only respond when"
+            },
+            workflow: {
+              type: "string",
+              description: "Workflow to run when a message is received"
+            }
+          },
+          additionalProperties: false,
+          patternProperties: {
+            "^x-": {}
+          }
+        },
+        EmailConfig: {
+          type: "object",
+          properties: {
+            receive: {
+              type: "object",
+              properties: {
+                type: {
+                  type: "string",
+                  enum: ["imap", "resend"],
+                  description: "Backend type: 'imap' (universal) or 'resend' (managed webhook)"
+                },
+                host: {
+                  type: "string",
+                  description: "IMAP server hostname"
+                },
+                port: {
+                  type: "number",
+                  description: "IMAP server port (default: 993)"
+                },
+                auth: {
+                  type: "object",
+                  properties: {
+                    user: {
+                      type: "string"
+                    },
+                    pass: {
+                      type: "string"
+                    }
+                  },
+                  additionalProperties: false,
+                  description: "IMAP auth credentials",
+                  patternProperties: {
+                    "^x-": {}
+                  }
+                },
+                secure: {
+                  type: "boolean",
+                  description: "Use TLS (default: true)"
+                },
+                poll_interval: {
+                  type: "number",
+                  description: "Polling interval in seconds when IDLE not available (default: 30)"
+                },
+                folder: {
+                  type: "string",
+                  description: "IMAP folder to monitor (default: 'INBOX')"
+                },
+                mark_read: {
+                  type: "boolean",
+                  description: "Mark processed messages as read (default: true)"
+                },
+                api_key: {
+                  type: "string",
+                  description: "Resend API key (for type: 'resend')"
+                },
+                webhook_secret: {
+                  type: "string",
+                  description: "Resend webhook secret for signature verification"
+                }
+              },
+              additionalProperties: false,
+              description: "Receive backend configuration",
+              patternProperties: {
+                "^x-": {}
+              }
+            },
+            send: {
+              type: "object",
+              properties: {
+                type: {
+                  type: "string",
+                  enum: ["smtp", "resend"],
+                  description: "Backend type: 'smtp' (universal) or 'resend' (managed API)"
+                },
+                host: {
+                  type: "string",
+                  description: "SMTP server hostname"
+                },
+                port: {
+                  type: "number",
+                  description: "SMTP server port (default: 587)"
+                },
+                auth: {
+                  type: "object",
+                  properties: {
+                    user: {
+                      type: "string"
+                    },
+                    pass: {
+                      type: "string"
+                    }
+                  },
+                  additionalProperties: false,
+                  description: "SMTP auth credentials",
+                  patternProperties: {
+                    "^x-": {}
+                  }
+                },
+                secure: {
+                  type: "boolean",
+                  description: "Use TLS (default: true)"
+                },
+                from: {
+                  type: "string",
+                  description: 'Default sender address (e.g., "Bot <bot@example.com>")'
+                },
+                api_key: {
+                  type: "string",
+                  description: "Resend API key (for type: 'resend')"
+                }
+              },
+              additionalProperties: false,
+              description: "Send backend configuration",
+              patternProperties: {
+                "^x-": {}
+              }
+            },
+            allowlist: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: "Only process emails from these senders"
+            },
+            workflow: {
+              type: "string",
+              description: "Workflow to run when an email is received"
+            }
+          },
+          additionalProperties: false,
+          patternProperties: {
+            "^x-": {}
+          }
+        },
+        WhatsAppConfig: {
+          type: "object",
+          properties: {
+            access_token: {
+              type: "string",
+              description: "WhatsApp Cloud API access token (or WHATSAPP_ACCESS_TOKEN env var)"
+            },
+            phone_number_id: {
+              type: "string",
+              description: "Phone Number ID from Meta Business Suite (or WHATSAPP_PHONE_NUMBER_ID env var)"
+            },
+            app_secret: {
+              type: "string",
+              description: "Meta App Secret for webhook signature verification (or WHATSAPP_APP_SECRET env var)"
+            },
+            verify_token: {
+              type: "string",
+              description: "Verify token for webhook subscription challenge (or WHATSAPP_VERIFY_TOKEN env var)"
+            },
+            api_version: {
+              type: "string",
+              description: "Graph API version (default: 'v21.0')"
+            },
+            port: {
+              type: "number",
+              description: "Port for webhook HTTP server (default: 8443)"
+            },
+            host: {
+              type: "string",
+              description: "Host for webhook HTTP server (default: '0.0.0.0')"
+            },
+            phone_allowlist: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: "Phone number allowlist \u2014 only respond to these numbers"
+            },
+            workflow: {
+              type: "string",
+              description: "Workflow to run when a message is received"
+            }
+          },
+          additionalProperties: false,
+          patternProperties: {
+            "^x-": {}
+          }
+        },
+        TeamsConfig: {
+          type: "object",
+          properties: {
+            app_id: {
+              type: "string",
+              description: "Azure AD App (client) ID (or TEAMS_APP_ID env var)"
+            },
+            app_password: {
+              type: "string",
+              description: "Azure AD App client secret (or TEAMS_APP_PASSWORD env var)"
+            },
+            tenant_id: {
+              type: "string",
+              description: "Azure AD Tenant ID for single-tenant apps (or TEAMS_TENANT_ID env var)"
+            },
+            port: {
+              type: "number",
+              description: "Port for webhook HTTP server (default: 3978)"
+            },
+            host: {
+              type: "string",
+              description: "Host for webhook HTTP server (default: '0.0.0.0')"
+            },
+            user_allowlist: {
+              type: "array",
+              items: {
+                type: "string"
+              },
+              description: "User ID allowlist \u2014 only respond to these AAD user IDs"
+            },
+            workflow: {
+              type: "string",
+              description: "Workflow to run when a message is received"
+            }
+          },
+          additionalProperties: false,
+          patternProperties: {
+            "^x-": {}
+          }
+        },
         SchedulerConfig: {
           type: "object",
           properties: {
@@ -18299,17 +18575,17 @@ var init_workflow_check_provider = __esm({
        * so it can be executed by the state machine as a nested workflow.
        */
       async loadWorkflowFromConfigPath(sourcePath, baseDir) {
-        const path29 = require("path");
-        const fs25 = require("fs");
+        const path33 = require("path");
+        const fs29 = require("fs");
         const yaml5 = require("js-yaml");
-        const resolved = path29.isAbsolute(sourcePath) ? sourcePath : path29.resolve(baseDir, sourcePath);
-        if (!fs25.existsSync(resolved)) {
+        const resolved = path33.isAbsolute(sourcePath) ? sourcePath : path33.resolve(baseDir, sourcePath);
+        if (!fs29.existsSync(resolved)) {
           throw new Error(`Workflow config not found at: ${resolved}`);
         }
-        const rawContent = fs25.readFileSync(resolved, "utf8");
+        const rawContent = fs29.readFileSync(resolved, "utf8");
         const rawData = yaml5.load(rawContent);
         if (rawData.imports && Array.isArray(rawData.imports)) {
-          const configDir = path29.dirname(resolved);
+          const configDir = path33.dirname(resolved);
           for (const source of rawData.imports) {
             const results = await this.registry.import(source, {
               basePath: configDir,
@@ -18339,8 +18615,8 @@ ${errors}`);
         if (!steps || Object.keys(steps).length === 0) {
           throw new Error(`Config '${resolved}' does not contain any steps to execute as a workflow`);
         }
-        const id = path29.basename(resolved).replace(/\.(ya?ml)$/i, "");
-        const name = loaded.name || `Workflow from ${path29.basename(resolved)}`;
+        const id = path33.basename(resolved).replace(/\.(ya?ml)$/i, "");
+        const name = loaded.name || `Workflow from ${path33.basename(resolved)}`;
         const workflowDef = {
           id,
           name,
@@ -19149,8 +19425,8 @@ async function createStoreBackend(storageConfig, haConfig) {
     case "mssql": {
       try {
         const loaderPath = "../../enterprise/loader";
-        const { loadEnterpriseStoreBackend } = await import(loaderPath);
-        return await loadEnterpriseStoreBackend(driver, storageConfig, haConfig);
+        const { loadEnterpriseStoreBackend: loadEnterpriseStoreBackend2 } = await import(loaderPath);
+        return await loadEnterpriseStoreBackend2(driver, storageConfig, haConfig);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         logger.error(`[StoreFactory] Failed to load enterprise ${driver} backend: ${msg}`);
@@ -21838,7 +22114,7 @@ var init_mcp_custom_sse_server = __esm({
        * Returns the actual bound port number
        */
       async start() {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           try {
             this.server = import_http.default.createServer((req, res) => {
               this.handleRequest(req, res).catch((error) => {
@@ -21872,7 +22148,7 @@ var init_mcp_custom_sse_server = __esm({
                 );
               }
               this.startKeepalive();
-              resolve15(this.port);
+              resolve19(this.port);
             });
           } catch (error) {
             reject(error);
@@ -21935,7 +22211,7 @@ var init_mcp_custom_sse_server = __esm({
             logger.debug(
               `[CustomToolsSSEServer:${this.sessionId}] Grace period before stop: ${waitMs}ms (activeToolCalls=${this.activeToolCalls})`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, waitMs));
+            await new Promise((resolve19) => setTimeout(resolve19, waitMs));
           }
         }
         if (this.activeToolCalls > 0) {
@@ -21944,7 +22220,7 @@ var init_mcp_custom_sse_server = __esm({
             `[CustomToolsSSEServer:${this.sessionId}] Waiting for ${this.activeToolCalls} active tool call(s) before stop`
           );
           while (this.activeToolCalls > 0 && Date.now() - startedAt < effectiveDrainTimeoutMs) {
-            await new Promise((resolve15) => setTimeout(resolve15, 250));
+            await new Promise((resolve19) => setTimeout(resolve19, 250));
           }
           if (this.activeToolCalls > 0) {
             logger.warn(
@@ -21969,21 +22245,21 @@ var init_mcp_custom_sse_server = __esm({
         }
         this.connections.clear();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
+          await new Promise((resolve19, reject) => {
             const timeout = setTimeout(() => {
               if (this.debug) {
                 logger.debug(
                   `[CustomToolsSSEServer:${this.sessionId}] Force closing server after timeout`
                 );
               }
-              this.server?.close(() => resolve15());
+              this.server?.close(() => resolve19());
             }, 5e3);
             this.server.close((error) => {
               clearTimeout(timeout);
               if (error) {
                 reject(error);
               } else {
-                resolve15();
+                resolve19();
               }
             });
           });
@@ -22433,7 +22709,7 @@ var init_mcp_custom_sse_server = __esm({
               logger.warn(
                 `[CustomToolsSSEServer:${this.sessionId}] Tool ${toolName} failed (attempt ${attempt + 1}/${retryCount + 1}): ${errorMsg}. Retrying in ${delay}ms`
               );
-              await new Promise((resolve15) => setTimeout(resolve15, delay));
+              await new Promise((resolve19) => setTimeout(resolve19, delay));
               attempt++;
             }
           }
@@ -22825,9 +23101,9 @@ var init_ai_check_provider = __esm({
           } else {
             resolvedPath = import_path8.default.resolve(process.cwd(), str);
           }
-          const fs25 = require("fs").promises;
+          const fs29 = require("fs").promises;
           try {
-            const stat2 = await fs25.stat(resolvedPath);
+            const stat2 = await fs29.stat(resolvedPath);
             return stat2.isFile();
           } catch {
             return hasFileExtension && (isRelativePath || isAbsolutePath || hasPathSeparators);
@@ -28929,14 +29205,14 @@ var require_util = __commonJS({
         }
         const port = url.port != null ? url.port : url.protocol === "https:" ? 443 : 80;
         let origin = url.origin != null ? url.origin : `${url.protocol}//${url.hostname}:${port}`;
-        let path29 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
+        let path33 = url.path != null ? url.path : `${url.pathname || ""}${url.search || ""}`;
         if (origin.endsWith("/")) {
           origin = origin.substring(0, origin.length - 1);
         }
-        if (path29 && !path29.startsWith("/")) {
-          path29 = `/${path29}`;
+        if (path33 && !path33.startsWith("/")) {
+          path33 = `/${path33}`;
         }
-        url = new URL(origin + path29);
+        url = new URL(origin + path33);
       }
       return url;
     }
@@ -30550,20 +30826,20 @@ var require_parseParams = __commonJS({
 var require_basename = __commonJS({
   "node_modules/@fastify/busboy/lib/utils/basename.js"(exports2, module2) {
     "use strict";
-    module2.exports = function basename4(path29) {
-      if (typeof path29 !== "string") {
+    module2.exports = function basename4(path33) {
+      if (typeof path33 !== "string") {
         return "";
       }
-      for (var i = path29.length - 1; i >= 0; --i) {
-        switch (path29.charCodeAt(i)) {
+      for (var i = path33.length - 1; i >= 0; --i) {
+        switch (path33.charCodeAt(i)) {
           case 47:
           // '/'
           case 92:
-            path29 = path29.slice(i + 1);
-            return path29 === ".." || path29 === "." ? "" : path29;
+            path33 = path33.slice(i + 1);
+            return path33 === ".." || path33 === "." ? "" : path33;
         }
       }
-      return path29 === ".." || path29 === "." ? "" : path29;
+      return path33 === ".." || path33 === "." ? "" : path33;
     };
   }
 });
@@ -31567,11 +31843,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto7.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto9.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -31848,7 +32124,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto7 === void 0) {
+      if (crypto9 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -31863,7 +32139,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto7.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto9.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -31956,8 +32232,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve15, reject) => {
-        res = resolve15;
+      const promise = new Promise((resolve19, reject) => {
+        res = resolve19;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -33210,8 +33486,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto7 = require("crypto");
-      random = (max) => crypto7.randomInt(0, max);
+      const crypto9 = require("crypto");
+      random = (max) => crypto9.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -33462,8 +33738,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
                 });
               }
             });
-            const busboyResolve = new Promise((resolve15, reject) => {
-              busboy.on("finish", resolve15);
+            const busboyResolve = new Promise((resolve19, reject) => {
+              busboy.on("finish", resolve19);
               busboy.on("error", (err) => reject(new TypeError(err)));
             });
             if (this.body !== null) for await (const chunk of consumeBody(this[kState].body)) busboy.write(chunk);
@@ -33594,7 +33870,7 @@ var require_request = __commonJS({
     }
     var Request2 = class _Request {
       constructor(origin, {
-        path: path29,
+        path: path33,
         method,
         body,
         headers,
@@ -33608,11 +33884,11 @@ var require_request = __commonJS({
         throwOnError,
         expectContinue
       }, handler) {
-        if (typeof path29 !== "string") {
+        if (typeof path33 !== "string") {
           throw new InvalidArgumentError("path must be a string");
-        } else if (path29[0] !== "/" && !(path29.startsWith("http://") || path29.startsWith("https://")) && method !== "CONNECT") {
+        } else if (path33[0] !== "/" && !(path33.startsWith("http://") || path33.startsWith("https://")) && method !== "CONNECT") {
           throw new InvalidArgumentError("path must be an absolute URL or start with a slash");
-        } else if (invalidPathRegex.exec(path29) !== null) {
+        } else if (invalidPathRegex.exec(path33) !== null) {
           throw new InvalidArgumentError("invalid request path");
         }
         if (typeof method !== "string") {
@@ -33675,7 +33951,7 @@ var require_request = __commonJS({
         this.completed = false;
         this.aborted = false;
         this.upgrade = upgrade || null;
-        this.path = query ? util.buildURL(path29, query) : path29;
+        this.path = query ? util.buildURL(path33, query) : path33;
         this.origin = origin;
         this.idempotent = idempotent == null ? method === "HEAD" || method === "GET" : idempotent;
         this.blocking = blocking == null ? false : blocking;
@@ -33997,9 +34273,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve19, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve15(data);
+              return err ? reject(err) : resolve19(data);
             });
           });
         }
@@ -34037,12 +34313,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve15, reject) => {
+          return new Promise((resolve19, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve15(data);
+              ) : resolve19(data);
             });
           });
         }
@@ -34683,9 +34959,9 @@ var require_RedirectHandler = __commonJS({
           return this.handler.onHeaders(statusCode, headers, resume, statusText);
         }
         const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)));
-        const path29 = search ? `${pathname}${search}` : pathname;
+        const path33 = search ? `${pathname}${search}` : pathname;
         this.opts.headers = cleanRequestHeaders(this.opts.headers, statusCode === 303, this.opts.origin !== origin);
-        this.opts.path = path29;
+        this.opts.path = path33;
         this.opts.origin = origin;
         this.opts.maxRedirections = 0;
         this.opts.query = null;
@@ -35104,16 +35380,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve15) => {
+        return new Promise((resolve19) => {
           if (!this[kSize]) {
-            resolve15(null);
+            resolve19(null);
           } else {
-            this[kClosedResolve] = resolve15;
+            this[kClosedResolve] = resolve19;
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve15) => {
+        return new Promise((resolve19) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request = requests[i];
@@ -35124,7 +35400,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve15();
+            resolve19();
           };
           if (this[kHTTP2Session] != null) {
             util.destroy(this[kHTTP2Session], err);
@@ -35704,7 +35980,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve15, reject) => {
+        const socket = await new Promise((resolve19, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -35716,7 +35992,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve15(socket2);
+              resolve19(socket2);
             }
           });
         });
@@ -35927,7 +36203,7 @@ var require_client = __commonJS({
         writeH2(client, client[kHTTP2Session], request);
         return;
       }
-      const { body, method, path: path29, host, upgrade, headers, blocking, reset } = request;
+      const { body, method, path: path33, host, upgrade, headers, blocking, reset } = request;
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
         body.read(0);
@@ -35977,7 +36253,7 @@ var require_client = __commonJS({
       if (blocking) {
         socket[kBlocking] = true;
       }
-      let header = `${method} ${path29} HTTP/1.1\r
+      let header = `${method} ${path33} HTTP/1.1\r
 `;
       if (typeof host === "string") {
         header += `host: ${host}\r
@@ -36040,7 +36316,7 @@ upgrade: ${upgrade}\r
       return true;
     }
     function writeH2(client, session, request) {
-      const { body, method, path: path29, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
+      const { body, method, path: path33, host, upgrade, expectContinue, signal, headers: reqHeaders } = request;
       let headers;
       if (typeof reqHeaders === "string") headers = Request2[kHTTP2CopyHeaders](reqHeaders.trim());
       else headers = reqHeaders;
@@ -36083,7 +36359,7 @@ upgrade: ${upgrade}\r
         });
         return true;
       }
-      headers[HTTP2_HEADER_PATH] = path29;
+      headers[HTTP2_HEADER_PATH] = path33;
       headers[HTTP2_HEADER_SCHEME] = "https";
       const expectsPayload = method === "PUT" || method === "POST" || method === "PATCH";
       if (body && typeof body.read === "function") {
@@ -36340,12 +36616,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve15, reject) => {
+      const waitForDrain = () => new Promise((resolve19, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve15;
+          callback = resolve19;
         }
       });
       if (client[kHTTPConnVersion] === "h2") {
@@ -36691,8 +36967,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           return Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          return new Promise((resolve15) => {
-            this[kClosedResolve] = resolve15;
+          return new Promise((resolve19) => {
+            this[kClosedResolve] = resolve19;
           });
         }
       }
@@ -37270,7 +37546,7 @@ var require_readable = __commonJS({
         if (this.closed) {
           return Promise.resolve(null);
         }
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           const signalListenerCleanup = signal ? util.addAbortListener(signal, () => {
             this.destroy();
           }) : noop;
@@ -37279,7 +37555,7 @@ var require_readable = __commonJS({
             if (signal && signal.aborted) {
               reject(signal.reason || Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
             } else {
-              resolve15(null);
+              resolve19(null);
             }
           }).on("error", noop).on("data", function(chunk) {
             limit -= chunk.length;
@@ -37301,11 +37577,11 @@ var require_readable = __commonJS({
         throw new TypeError("unusable");
       }
       assert(!stream[kConsume]);
-      return new Promise((resolve15, reject) => {
+      return new Promise((resolve19, reject) => {
         stream[kConsume] = {
           type,
           stream,
-          resolve: resolve15,
+          resolve: resolve19,
           reject,
           length: 0,
           body: []
@@ -37340,12 +37616,12 @@ var require_readable = __commonJS({
       }
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve15, stream, length } = consume2;
+      const { type, body, resolve: resolve19, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve15(toUSVString(Buffer.concat(body)));
+          resolve19(toUSVString(Buffer.concat(body)));
         } else if (type === "json") {
-          resolve15(JSON.parse(Buffer.concat(body)));
+          resolve19(JSON.parse(Buffer.concat(body)));
         } else if (type === "arrayBuffer") {
           const dst = new Uint8Array(length);
           let pos = 0;
@@ -37353,12 +37629,12 @@ var require_readable = __commonJS({
             dst.set(buf, pos);
             pos += buf.byteLength;
           }
-          resolve15(dst.buffer);
+          resolve19(dst.buffer);
         } else if (type === "blob") {
           if (!Blob2) {
             Blob2 = require("buffer").Blob;
           }
-          resolve15(new Blob2(body, { type: stream[kContentType] }));
+          resolve19(new Blob2(body, { type: stream[kContentType] }));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -37615,9 +37891,9 @@ var require_api_request = __commonJS({
     };
     function request(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           request.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -37790,9 +38066,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -38073,9 +38349,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -38164,9 +38440,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve15, reject) => {
+        return new Promise((resolve19, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve15(data);
+            return err ? reject(err) : resolve19(data);
           });
         });
       }
@@ -38326,20 +38602,20 @@ var require_mock_utils = __commonJS({
       }
       return true;
     }
-    function safeUrl(path29) {
-      if (typeof path29 !== "string") {
-        return path29;
+    function safeUrl(path33) {
+      if (typeof path33 !== "string") {
+        return path33;
       }
-      const pathSegments = path29.split("?");
+      const pathSegments = path33.split("?");
       if (pathSegments.length !== 2) {
-        return path29;
+        return path33;
       }
       const qp = new URLSearchParams(pathSegments.pop());
       qp.sort();
       return [...pathSegments, qp.toString()].join("?");
     }
-    function matchKey(mockDispatch2, { path: path29, method, body, headers }) {
-      const pathMatch = matchValue(mockDispatch2.path, path29);
+    function matchKey(mockDispatch2, { path: path33, method, body, headers }) {
+      const pathMatch = matchValue(mockDispatch2.path, path33);
       const methodMatch = matchValue(mockDispatch2.method, method);
       const bodyMatch = typeof mockDispatch2.body !== "undefined" ? matchValue(mockDispatch2.body, body) : true;
       const headersMatch = matchHeaders(mockDispatch2, headers);
@@ -38357,7 +38633,7 @@ var require_mock_utils = __commonJS({
     function getMockDispatch(mockDispatches, key) {
       const basePath = key.query ? buildURL(key.path, key.query) : key.path;
       const resolvedPath = typeof basePath === "string" ? safeUrl(basePath) : basePath;
-      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path29 }) => matchValue(safeUrl(path29), resolvedPath));
+      let matchedMockDispatches = mockDispatches.filter(({ consumed }) => !consumed).filter(({ path: path33 }) => matchValue(safeUrl(path33), resolvedPath));
       if (matchedMockDispatches.length === 0) {
         throw new MockNotMatchedError(`Mock dispatch not matched for path '${resolvedPath}'`);
       }
@@ -38394,9 +38670,9 @@ var require_mock_utils = __commonJS({
       }
     }
     function buildKey(opts) {
-      const { path: path29, method, body, headers, query } = opts;
+      const { path: path33, method, body, headers, query } = opts;
       return {
-        path: path29,
+        path: path33,
         method,
         body,
         headers,
@@ -38845,10 +39121,10 @@ var require_pending_interceptors_formatter = __commonJS({
       }
       format(pendingInterceptors) {
         const withPrettyHeaders = pendingInterceptors.map(
-          ({ method, path: path29, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
+          ({ method, path: path33, data: { statusCode }, persist, times, timesInvoked, origin }) => ({
             Method: method,
             Origin: origin,
-            Path: path29,
+            Path: path33,
             "Status code": statusCode,
             Persistent: persist ? "\u2705" : "\u274C",
             Invocations: timesInvoked,
@@ -41789,7 +42065,7 @@ var require_fetch = __commonJS({
       async function dispatch({ body }) {
         const url = requestCurrentURL(request);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve15, reject) => agent.dispatch(
+        return new Promise((resolve19, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -41865,7 +42141,7 @@ var require_fetch = __commonJS({
                   }
                 }
               }
-              resolve15({
+              resolve19({
                 status,
                 statusText,
                 headersList: headers[kHeadersList],
@@ -41908,7 +42184,7 @@ var require_fetch = __commonJS({
                 const val = headersList[n + 1].toString("latin1");
                 headers[kHeadersList].append(key, val);
               }
-              resolve15({
+              resolve19({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList: headers[kHeadersList],
@@ -43469,8 +43745,8 @@ var require_util6 = __commonJS({
         }
       }
     }
-    function validateCookiePath(path29) {
-      for (const char of path29) {
+    function validateCookiePath(path33) {
+      for (const char of path33) {
         const code = char.charCodeAt(0);
         if (code < 33 || char === ";") {
           throw new Error("Invalid cookie path");
@@ -44267,9 +44543,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -44288,7 +44564,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto7.randomBytes(16).toString("base64");
+      const keyValue = crypto9.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -44317,7 +44593,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto7.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto9.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -44397,9 +44673,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto7;
+    var crypto9;
     try {
-      crypto7 = require("crypto");
+      crypto9 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -44408,7 +44684,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto7.randomBytes(4);
+        this.maskKey = crypto9.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -45150,11 +45426,11 @@ var require_undici = __commonJS({
           if (typeof opts.path !== "string") {
             throw new InvalidArgumentError("invalid opts.path");
           }
-          let path29 = opts.path;
+          let path33 = opts.path;
           if (!opts.path.startsWith("/")) {
-            path29 = `/${path29}`;
+            path33 = `/${path33}`;
           }
-          url = new URL(util.parseOrigin(url).origin + path29);
+          url = new URL(util.parseOrigin(url).origin + path33);
         } else {
           if (!opts) {
             opts = typeof url === "object" ? url : {};
@@ -45723,7 +45999,7 @@ var init_mcp_check_provider = __esm({
             logger.warn(
               `MCP ${transportName} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying in ${delay}ms: ${error instanceof Error ? error.message : String(error)}`
             );
-            await new Promise((resolve15) => setTimeout(resolve15, delay));
+            await new Promise((resolve19) => setTimeout(resolve19, delay));
             attempt += 1;
           } finally {
             try {
@@ -46016,7 +46292,7 @@ async function acquirePromptLock() {
     );
   }, 1e4);
   try {
-    await new Promise((resolve15) => waiters.push(resolve15));
+    await new Promise((resolve19) => waiters.push(resolve19));
   } finally {
     clearInterval(reminder);
     const waitedMs = Date.now() - queuedAt;
@@ -46035,7 +46311,7 @@ function releasePromptLock() {
 }
 async function interactivePrompt(options) {
   await acquirePromptLock();
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve19, reject) => {
     const dbg = process.env.VISOR_DEBUG === "true";
     try {
       if (dbg) {
@@ -46122,12 +46398,12 @@ async function interactivePrompt(options) {
     };
     const finish = (value) => {
       cleanup();
-      resolve15(value);
+      resolve19(value);
     };
     if (options.timeout && options.timeout > 0) {
       timeoutId = setTimeout(() => {
         cleanup();
-        if (defaultValue !== void 0) return resolve15(defaultValue);
+        if (defaultValue !== void 0) return resolve19(defaultValue);
         return reject(new Error("Input timeout"));
       }, options.timeout);
     }
@@ -46259,7 +46535,7 @@ async function interactivePrompt(options) {
   });
 }
 async function simplePrompt(prompt) {
-  return new Promise((resolve15) => {
+  return new Promise((resolve19) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
@@ -46275,7 +46551,7 @@ async function simplePrompt(prompt) {
     rl.question(`${prompt}
 > `, (answer) => {
       rl.close();
-      resolve15(answer.trim());
+      resolve19(answer.trim());
     });
   });
 }
@@ -46443,7 +46719,7 @@ function isStdinAvailable() {
   return !process.stdin.isTTY;
 }
 async function readStdin(timeout, maxSize = 1024 * 1024) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve19, reject) => {
     let data = "";
     let timeoutId;
     if (timeout) {
@@ -46470,7 +46746,7 @@ async function readStdin(timeout, maxSize = 1024 * 1024) {
     };
     const onEnd = () => {
       cleanup();
-      resolve15(data.trim());
+      resolve19(data.trim());
     };
     const onError = (err) => {
       cleanup();
@@ -51170,23 +51446,23 @@ __export(renderer_schema_exports, {
 });
 async function loadRendererSchema(name) {
   try {
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const sanitized = String(name).replace(/[^a-zA-Z0-9-]/g, "");
     if (!sanitized) return void 0;
     const candidates = [
       // When bundled with ncc, __dirname is dist/ and output/ is at dist/output/
-      path29.join(__dirname, "output", sanitized, "schema.json"),
+      path33.join(__dirname, "output", sanitized, "schema.json"),
       // When running from source, __dirname is src/state-machine/dispatch/ and output/ is at output/
-      path29.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
+      path33.join(__dirname, "..", "..", "output", sanitized, "schema.json"),
       // When running from a checkout with output/ folder copied to CWD
-      path29.join(process.cwd(), "output", sanitized, "schema.json"),
+      path33.join(process.cwd(), "output", sanitized, "schema.json"),
       // Fallback: cwd/dist/output/
-      path29.join(process.cwd(), "dist", "output", sanitized, "schema.json")
+      path33.join(process.cwd(), "dist", "output", sanitized, "schema.json")
     ];
     for (const p of candidates) {
       try {
-        const raw = await fs25.readFile(p, "utf-8");
+        const raw = await fs29.readFile(p, "utf-8");
         return JSON.parse(raw);
       } catch {
       }
@@ -53631,8 +53907,8 @@ function updateStats2(results, state, isForEachIteration = false) {
 async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
   try {
     const { createExtendedLiquid: createExtendedLiquid2 } = await Promise.resolve().then(() => (init_liquid_extensions(), liquid_extensions_exports));
-    const fs25 = await import("fs/promises");
-    const path29 = await import("path");
+    const fs29 = await import("fs/promises");
+    const path33 = await import("path");
     const schemaRaw = checkConfig.schema || "plain";
     const schema = typeof schemaRaw === "string" && !schemaRaw.includes("{{") && !schemaRaw.includes("{%") ? schemaRaw : typeof schemaRaw === "object" ? "code-review" : "plain";
     let templateContent;
@@ -53641,27 +53917,27 @@ async function renderTemplateContent2(checkId, checkConfig, reviewSummary) {
       logger.debug(`[LevelDispatch] Using inline template for ${checkId}`);
     } else if (checkConfig.template && checkConfig.template.file) {
       const file = String(checkConfig.template.file);
-      const resolved = path29.resolve(process.cwd(), file);
-      templateContent = await fs25.readFile(resolved, "utf-8");
+      const resolved = path33.resolve(process.cwd(), file);
+      templateContent = await fs29.readFile(resolved, "utf-8");
       logger.debug(`[LevelDispatch] Using template file for ${checkId}: ${resolved}`);
     } else if (schema && schema !== "plain") {
       const sanitized = String(schema).replace(/[^a-zA-Z0-9-]/g, "");
       if (sanitized) {
         const candidatePaths = [
-          path29.join(__dirname, "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "output", sanitized, "template.liquid"),
           // bundled: dist/output/
-          path29.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "output", sanitized, "template.liquid"),
           // source (from state-machine/states)
-          path29.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
+          path33.join(__dirname, "..", "..", "..", "output", sanitized, "template.liquid"),
           // source (alternate)
-          path29.join(process.cwd(), "output", sanitized, "template.liquid"),
+          path33.join(process.cwd(), "output", sanitized, "template.liquid"),
           // fallback: cwd/output/
-          path29.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
+          path33.join(process.cwd(), "dist", "output", sanitized, "template.liquid")
           // fallback: cwd/dist/output/
         ];
         for (const p of candidatePaths) {
           try {
-            templateContent = await fs25.readFile(p, "utf-8");
+            templateContent = await fs29.readFile(p, "utf-8");
             if (templateContent) {
               logger.debug(`[LevelDispatch] Using schema template for ${checkId}: ${p}`);
               break;
@@ -55801,8 +56077,8 @@ var init_workspace_manager = __esm({
         );
         if (this.cleanupRequested && this.activeOperations === 0) {
           logger.debug(`[Workspace] All references released, proceeding with deferred cleanup`);
-          for (const resolve15 of this.cleanupResolvers) {
-            resolve15();
+          for (const resolve19 of this.cleanupResolvers) {
+            resolve19();
           }
           this.cleanupResolvers = [];
         }
@@ -55981,19 +56257,19 @@ var init_workspace_manager = __esm({
           );
           this.cleanupRequested = true;
           await Promise.race([
-            new Promise((resolve15) => {
+            new Promise((resolve19) => {
               if (this.activeOperations === 0) {
-                resolve15();
+                resolve19();
               } else {
-                this.cleanupResolvers.push(resolve15);
+                this.cleanupResolvers.push(resolve19);
               }
             }),
-            new Promise((resolve15) => {
+            new Promise((resolve19) => {
               setTimeout(() => {
                 logger.warn(
                   `[Workspace] Cleanup timeout after ${timeout}ms, proceeding anyway (${this.activeOperations} operations still active)`
                 );
-                resolve15();
+                resolve19();
               }, timeout);
             })
           ]);
@@ -56387,8 +56663,8 @@ var init_fair_concurrency_limiter = __esm({
         );
         const queuedAt = Date.now();
         const effectiveTimeout = queueTimeout ?? 12e4;
-        return new Promise((resolve15, reject) => {
-          const entry = { resolve: resolve15, reject, queuedAt };
+        return new Promise((resolve19, reject) => {
+          const entry = { resolve: resolve19, reject, queuedAt };
           entry.reminder = setInterval(() => {
             const waited = Math.round((Date.now() - queuedAt) / 1e3);
             const curQueued = this._totalQueued();
@@ -56695,6 +56971,1380 @@ var init_build_engine_context = __esm({
   }
 });
 
+// src/policy/default-engine.ts
+var DefaultPolicyEngine;
+var init_default_engine = __esm({
+  "src/policy/default-engine.ts"() {
+    "use strict";
+    DefaultPolicyEngine = class {
+      async initialize(_config) {
+      }
+      async evaluateCheckExecution(_checkId, _checkConfig) {
+        return { allowed: true };
+      }
+      async evaluateToolInvocation(_serverName, _methodName, _transport) {
+        return { allowed: true };
+      }
+      async evaluateCapabilities(_checkId, _capabilities) {
+        return { allowed: true };
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+
+// src/enterprise/license/validator.ts
+var validator_exports = {};
+__export(validator_exports, {
+  LicenseValidator: () => LicenseValidator
+});
+var crypto3, fs21, path26, LicenseValidator;
+var init_validator = __esm({
+  "src/enterprise/license/validator.ts"() {
+    "use strict";
+    crypto3 = __toESM(require("crypto"));
+    fs21 = __toESM(require("fs"));
+    path26 = __toESM(require("path"));
+    LicenseValidator = class _LicenseValidator {
+      /** Ed25519 public key for license verification (PEM format). */
+      static PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI/Zd08EFmgIdrDm/HXd0l3/5GBt7R1PrdvhdmEXhJlU=\n-----END PUBLIC KEY-----\n";
+      cache = null;
+      static CACHE_TTL = 5 * 60 * 1e3;
+      // 5 minutes
+      static GRACE_PERIOD = 72 * 3600 * 1e3;
+      // 72 hours after expiry
+      /**
+       * Load and validate license from environment or file.
+       *
+       * Resolution order:
+       * 1. VISOR_LICENSE env var (JWT string)
+       * 2. VISOR_LICENSE_FILE env var (path to file)
+       * 3. .visor-license in project root (cwd)
+       * 4. .visor-license in ~/.config/visor/
+       */
+      async loadAndValidate() {
+        if (this.cache && Date.now() - this.cache.validatedAt < _LicenseValidator.CACHE_TTL) {
+          return this.cache.payload;
+        }
+        const token = this.resolveToken();
+        if (!token) return null;
+        const payload = this.verifyAndDecode(token);
+        if (!payload) return null;
+        this.cache = { payload, validatedAt: Date.now() };
+        return payload;
+      }
+      /** Check if a specific feature is licensed */
+      hasFeature(feature) {
+        if (!this.cache) return false;
+        return this.cache.payload.features.includes(feature);
+      }
+      /** Check if license is valid (with grace period) */
+      isValid() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      /** Check if the license is within its grace period (expired but still valid) */
+      isInGracePeriod() {
+        if (!this.cache) return false;
+        const now = Date.now();
+        const expiryMs = this.cache.payload.exp * 1e3;
+        return now >= expiryMs && now < expiryMs + _LicenseValidator.GRACE_PERIOD;
+      }
+      resolveToken() {
+        if (process.env.VISOR_LICENSE) {
+          return process.env.VISOR_LICENSE.trim();
+        }
+        if (process.env.VISOR_LICENSE_FILE) {
+          const resolved = path26.resolve(process.env.VISOR_LICENSE_FILE);
+          const home2 = process.env.HOME || process.env.USERPROFILE || "";
+          const allowedPrefixes = [path26.normalize(process.cwd())];
+          if (home2) allowedPrefixes.push(path26.normalize(path26.join(home2, ".config", "visor")));
+          let realPath;
+          try {
+            realPath = fs21.realpathSync(resolved);
+          } catch {
+            return null;
+          }
+          const isSafe = allowedPrefixes.some(
+            (prefix) => realPath === prefix || realPath.startsWith(prefix + path26.sep)
+          );
+          if (!isSafe) return null;
+          return this.readFile(realPath);
+        }
+        const cwdPath = path26.join(process.cwd(), ".visor-license");
+        const cwdToken = this.readFile(cwdPath);
+        if (cwdToken) return cwdToken;
+        const home = process.env.HOME || process.env.USERPROFILE || "";
+        if (home) {
+          const configPath = path26.join(home, ".config", "visor", ".visor-license");
+          const configToken = this.readFile(configPath);
+          if (configToken) return configToken;
+        }
+        return null;
+      }
+      readFile(filePath) {
+        try {
+          return fs21.readFileSync(filePath, "utf-8").trim();
+        } catch {
+          return null;
+        }
+      }
+      verifyAndDecode(token) {
+        try {
+          const parts = token.split(".");
+          if (parts.length !== 3) return null;
+          const [headerB64, payloadB64, signatureB64] = parts;
+          const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+          if (header.alg !== "EdDSA") return null;
+          const data = `${headerB64}.${payloadB64}`;
+          const signature = Buffer.from(signatureB64, "base64url");
+          const publicKey = crypto3.createPublicKey(_LicenseValidator.PUBLIC_KEY);
+          if (publicKey.asymmetricKeyType !== "ed25519") {
+            return null;
+          }
+          const isValid = crypto3.verify(null, Buffer.from(data), publicKey, signature);
+          if (!isValid) return null;
+          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+          if (!payload.org || !Array.isArray(payload.features) || typeof payload.exp !== "number" || typeof payload.iat !== "number" || !payload.sub) {
+            return null;
+          }
+          const now = Date.now();
+          const expiryMs = payload.exp * 1e3;
+          if (now >= expiryMs + _LicenseValidator.GRACE_PERIOD) {
+            return null;
+          }
+          return payload;
+        } catch {
+          return null;
+        }
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-compiler.ts
+var fs22, path27, os2, crypto4, import_child_process8, OpaCompiler;
+var init_opa_compiler = __esm({
+  "src/enterprise/policy/opa-compiler.ts"() {
+    "use strict";
+    fs22 = __toESM(require("fs"));
+    path27 = __toESM(require("path"));
+    os2 = __toESM(require("os"));
+    crypto4 = __toESM(require("crypto"));
+    import_child_process8 = require("child_process");
+    OpaCompiler = class _OpaCompiler {
+      static CACHE_DIR = path27.join(os2.tmpdir(), "visor-opa-cache");
+      /**
+       * Resolve the input paths to WASM bytes.
+       *
+       * Strategy:
+       * 1. If any path is a .wasm file, read it directly
+       * 2. If a directory contains policy.wasm, read it
+       * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+       */
+      async resolveWasmBytes(paths) {
+        const regoFiles = [];
+        for (const p of paths) {
+          const resolved = path27.resolve(p);
+          if (path27.normalize(resolved).includes("..")) {
+            throw new Error(`Policy path contains traversal sequences: ${p}`);
+          }
+          if (resolved.endsWith(".wasm") && fs22.existsSync(resolved)) {
+            return fs22.readFileSync(resolved);
+          }
+          if (!fs22.existsSync(resolved)) continue;
+          const stat2 = fs22.statSync(resolved);
+          if (stat2.isDirectory()) {
+            const wasmCandidate = path27.join(resolved, "policy.wasm");
+            if (fs22.existsSync(wasmCandidate)) {
+              return fs22.readFileSync(wasmCandidate);
+            }
+            const files = fs22.readdirSync(resolved);
+            for (const f of files) {
+              if (f.endsWith(".rego")) {
+                regoFiles.push(path27.join(resolved, f));
+              }
+            }
+          } else if (resolved.endsWith(".rego")) {
+            regoFiles.push(resolved);
+          }
+        }
+        if (regoFiles.length === 0) {
+          throw new Error(
+            `OPA WASM evaluator: no .wasm bundle or .rego files found in: ${paths.join(", ")}`
+          );
+        }
+        return this.compileRego(regoFiles);
+      }
+      /**
+       * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+       *
+       * Caches the compiled bundle based on a content hash of all input .rego files
+       * so subsequent runs skip compilation if policies haven't changed.
+       */
+      compileRego(regoFiles) {
+        try {
+          (0, import_child_process8.execFileSync)("opa", ["version"], { stdio: "pipe" });
+        } catch {
+          throw new Error(
+            "OPA CLI (`opa`) not found on PATH. Install it from https://www.openpolicyagent.org/docs/latest/#running-opa\nOr pre-compile your .rego files: opa build -t wasm -e visor -o bundle.tar.gz " + regoFiles.join(" ")
+          );
+        }
+        const hash = crypto4.createHash("sha256");
+        for (const f of regoFiles.sort()) {
+          hash.update(fs22.readFileSync(f));
+          hash.update(f);
+        }
+        const cacheKey = hash.digest("hex").slice(0, 16);
+        const cacheDir = _OpaCompiler.CACHE_DIR;
+        const cachedWasm = path27.join(cacheDir, `${cacheKey}.wasm`);
+        if (fs22.existsSync(cachedWasm)) {
+          return fs22.readFileSync(cachedWasm);
+        }
+        fs22.mkdirSync(cacheDir, { recursive: true });
+        const bundleTar = path27.join(cacheDir, `${cacheKey}-bundle.tar.gz`);
+        try {
+          const args = [
+            "build",
+            "-t",
+            "wasm",
+            "-e",
+            "visor",
+            // entrypoint: the visor package tree
+            "-o",
+            bundleTar,
+            ...regoFiles
+          ];
+          (0, import_child_process8.execFileSync)("opa", args, {
+            stdio: "pipe",
+            timeout: 3e4
+          });
+        } catch (err) {
+          const stderr = err?.stderr?.toString() || "";
+          throw new Error(
+            `Failed to compile .rego files to WASM:
+${stderr}
+Ensure your .rego files are valid and the \`opa\` CLI is installed.`
+          );
+        }
+        try {
+          (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "/policy.wasm"], {
+            stdio: "pipe"
+          });
+          const extractedWasm = path27.join(cacheDir, "policy.wasm");
+          if (fs22.existsSync(extractedWasm)) {
+            fs22.renameSync(extractedWasm, cachedWasm);
+          }
+        } catch {
+          try {
+            (0, import_child_process8.execFileSync)("tar", ["-xzf", bundleTar, "-C", cacheDir, "policy.wasm"], {
+              stdio: "pipe"
+            });
+            const extractedWasm = path27.join(cacheDir, "policy.wasm");
+            if (fs22.existsSync(extractedWasm)) {
+              fs22.renameSync(extractedWasm, cachedWasm);
+            }
+          } catch (err2) {
+            throw new Error(`Failed to extract policy.wasm from OPA bundle: ${err2?.message || err2}`);
+          }
+        }
+        try {
+          fs22.unlinkSync(bundleTar);
+        } catch {
+        }
+        if (!fs22.existsSync(cachedWasm)) {
+          throw new Error("OPA build succeeded but policy.wasm was not found in the bundle");
+        }
+        return fs22.readFileSync(cachedWasm);
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-wasm-evaluator.ts
+var fs23, path28, OpaWasmEvaluator;
+var init_opa_wasm_evaluator = __esm({
+  "src/enterprise/policy/opa-wasm-evaluator.ts"() {
+    "use strict";
+    fs23 = __toESM(require("fs"));
+    path28 = __toESM(require("path"));
+    init_opa_compiler();
+    OpaWasmEvaluator = class {
+      policy = null;
+      dataDocument = {};
+      compiler = new OpaCompiler();
+      async initialize(rulesPath) {
+        const paths = Array.isArray(rulesPath) ? rulesPath : [rulesPath];
+        const wasmBytes = await this.compiler.resolveWasmBytes(paths);
+        try {
+          const { createRequire } = require("module");
+          const runtimeRequire = createRequire(__filename);
+          const opaWasm = runtimeRequire("@open-policy-agent/opa-wasm");
+          const loadPolicy = opaWasm.loadPolicy || opaWasm.default?.loadPolicy;
+          if (!loadPolicy) {
+            throw new Error("loadPolicy not found in @open-policy-agent/opa-wasm");
+          }
+          this.policy = await loadPolicy(wasmBytes);
+        } catch (err) {
+          if (err?.code === "MODULE_NOT_FOUND" || err?.code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "OPA WASM evaluator requires @open-policy-agent/opa-wasm. Install it with: npm install @open-policy-agent/opa-wasm"
+            );
+          }
+          throw err;
+        }
+      }
+      /**
+       * Load external data from a JSON file to use as the OPA data document.
+       * The loaded data will be passed to `policy.setData()` during evaluation,
+       * making it available in Rego via `data.<key>`.
+       */
+      loadData(dataPath) {
+        const resolved = path28.resolve(dataPath);
+        if (path28.normalize(resolved).includes("..")) {
+          throw new Error(`Data path contains traversal sequences: ${dataPath}`);
+        }
+        if (!fs23.existsSync(resolved)) {
+          throw new Error(`OPA data file not found: ${resolved}`);
+        }
+        const stat2 = fs23.statSync(resolved);
+        if (stat2.size > 10 * 1024 * 1024) {
+          throw new Error(`OPA data file exceeds 10MB limit: ${resolved} (${stat2.size} bytes)`);
+        }
+        const raw = fs23.readFileSync(resolved, "utf-8");
+        try {
+          const parsed = JSON.parse(raw);
+          if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+            throw new Error("OPA data file must contain a JSON object (not an array or primitive)");
+          }
+          this.dataDocument = parsed;
+        } catch (err) {
+          if (err.message.startsWith("OPA data file must")) {
+            throw err;
+          }
+          throw new Error(`Failed to parse OPA data file ${resolved}: ${err.message}`);
+        }
+      }
+      async evaluate(input) {
+        if (!this.policy) {
+          throw new Error("OPA WASM evaluator not initialized");
+        }
+        this.policy.setData(this.dataDocument);
+        const resultSet = this.policy.evaluate(input);
+        if (Array.isArray(resultSet) && resultSet.length > 0) {
+          return resultSet[0].result;
+        }
+        return void 0;
+      }
+      async shutdown() {
+        if (this.policy) {
+          if (typeof this.policy.close === "function") {
+            try {
+              this.policy.close();
+            } catch {
+            }
+          } else if (typeof this.policy.free === "function") {
+            try {
+              this.policy.free();
+            } catch {
+            }
+          }
+        }
+        this.policy = null;
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-http-evaluator.ts
+var OpaHttpEvaluator;
+var init_opa_http_evaluator = __esm({
+  "src/enterprise/policy/opa-http-evaluator.ts"() {
+    "use strict";
+    OpaHttpEvaluator = class {
+      baseUrl;
+      timeout;
+      constructor(baseUrl, timeout = 5e3) {
+        let parsed;
+        try {
+          parsed = new URL(baseUrl);
+        } catch {
+          throw new Error(`OPA HTTP evaluator: invalid URL: ${baseUrl}`);
+        }
+        if (!["http:", "https:"].includes(parsed.protocol)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must use http:// or https:// protocol, got: ${baseUrl}`
+          );
+        }
+        const hostname = parsed.hostname;
+        if (this.isBlockedHostname(hostname)) {
+          throw new Error(
+            `OPA HTTP evaluator: url must not point to internal, loopback, or private network addresses`
+          );
+        }
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+        this.timeout = timeout;
+      }
+      /**
+       * Check if a hostname is blocked due to SSRF concerns.
+       *
+       * Blocks:
+       * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+       * - Link-local addresses (169.254.x.x)
+       * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+       * - IPv6 unique local addresses (fd00::/8)
+       * - Cloud metadata services (*.internal)
+       */
+      isBlockedHostname(hostname) {
+        if (!hostname) return true;
+        const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+        if (normalized === "metadata.google.internal" || normalized.endsWith(".internal")) {
+          return true;
+        }
+        if (normalized === "localhost" || normalized === "localhost.localdomain") {
+          return true;
+        }
+        if (normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
+          return true;
+        }
+        const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+        const ipv4Match = normalized.match(ipv4Pattern);
+        if (ipv4Match) {
+          const octets = ipv4Match.slice(1, 5).map(Number);
+          if (octets.some((octet) => octet > 255)) {
+            return false;
+          }
+          const [a, b] = octets;
+          if (a === 127) {
+            return true;
+          }
+          if (a === 0) {
+            return true;
+          }
+          if (a === 169 && b === 254) {
+            return true;
+          }
+          if (a === 10) {
+            return true;
+          }
+          if (a === 172 && b >= 16 && b <= 31) {
+            return true;
+          }
+          if (a === 192 && b === 168) {
+            return true;
+          }
+        }
+        if (normalized.startsWith("fd") || normalized.startsWith("fc")) {
+          return true;
+        }
+        if (normalized.startsWith("fe80:")) {
+          return true;
+        }
+        return false;
+      }
+      /**
+       * Evaluate a policy rule against an input document via OPA REST API.
+       *
+       * @param input - The input document to evaluate
+       * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+       * @returns The result object from OPA, or undefined on error
+       */
+      async evaluate(input, rulePath) {
+        const encodedPath = rulePath.split("/").map((s) => encodeURIComponent(s)).join("/");
+        const url = `${this.baseUrl}/v1/data/${encodedPath}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+          const response = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ input }),
+            signal: controller.signal
+          });
+          if (!response.ok) {
+            throw new Error(`OPA HTTP ${response.status}: ${response.statusText}`);
+          }
+          let body;
+          try {
+            body = await response.json();
+          } catch (jsonErr) {
+            throw new Error(
+              `OPA HTTP evaluator: failed to parse JSON response: ${jsonErr instanceof Error ? jsonErr.message : String(jsonErr)}`
+            );
+          }
+          return body?.result;
+        } finally {
+          clearTimeout(timer);
+        }
+      }
+      async shutdown() {
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/policy-input-builder.ts
+var PolicyInputBuilder;
+var init_policy_input_builder = __esm({
+  "src/enterprise/policy/policy-input-builder.ts"() {
+    "use strict";
+    PolicyInputBuilder = class {
+      roles;
+      actor;
+      repository;
+      pullRequest;
+      constructor(policyConfig, actor, repository, pullRequest) {
+        this.roles = policyConfig.roles || {};
+        this.actor = actor;
+        this.repository = repository;
+        this.pullRequest = pullRequest;
+      }
+      /** Resolve which roles apply to the current actor. */
+      resolveRoles() {
+        const matched = [];
+        for (const [roleName, roleConfig] of Object.entries(this.roles)) {
+          let identityMatch = false;
+          if (roleConfig.author_association && this.actor.authorAssociation && roleConfig.author_association.includes(this.actor.authorAssociation)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.users && this.actor.login && roleConfig.users.includes(this.actor.login)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.slack_users && this.actor.slack?.userId && roleConfig.slack_users.includes(this.actor.slack.userId)) {
+            identityMatch = true;
+          }
+          if (!identityMatch && roleConfig.emails && this.actor.slack?.email) {
+            const actorEmail = this.actor.slack.email.toLowerCase();
+            if (roleConfig.emails.some((e) => e.toLowerCase() === actorEmail)) {
+              identityMatch = true;
+            }
+          }
+          if (!identityMatch) continue;
+          if (roleConfig.slack_channels && roleConfig.slack_channels.length > 0) {
+            if (!this.actor.slack?.channelId || !roleConfig.slack_channels.includes(this.actor.slack.channelId)) {
+              continue;
+            }
+          }
+          matched.push(roleName);
+        }
+        return matched;
+      }
+      buildActor() {
+        return {
+          authorAssociation: this.actor.authorAssociation,
+          login: this.actor.login,
+          roles: this.resolveRoles(),
+          isLocalMode: this.actor.isLocalMode,
+          ...this.actor.slack && { slack: this.actor.slack }
+        };
+      }
+      forCheckExecution(check) {
+        return {
+          scope: "check.execute",
+          check: {
+            id: check.id,
+            type: check.type,
+            group: check.group,
+            tags: check.tags,
+            criticality: check.criticality,
+            sandbox: check.sandbox,
+            policy: check.policy
+          },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forToolInvocation(serverName, methodName, transport) {
+        return {
+          scope: "tool.invoke",
+          tool: { serverName, methodName, transport },
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+      forCapabilityResolve(checkId, capabilities) {
+        return {
+          scope: "capability.resolve",
+          check: { id: checkId, type: "ai" },
+          capability: capabilities,
+          actor: this.buildActor(),
+          repository: this.repository,
+          pullRequest: this.pullRequest
+        };
+      }
+    };
+  }
+});
+
+// src/enterprise/policy/opa-policy-engine.ts
+var opa_policy_engine_exports = {};
+__export(opa_policy_engine_exports, {
+  OpaPolicyEngine: () => OpaPolicyEngine
+});
+var OpaPolicyEngine;
+var init_opa_policy_engine = __esm({
+  "src/enterprise/policy/opa-policy-engine.ts"() {
+    "use strict";
+    init_opa_wasm_evaluator();
+    init_opa_http_evaluator();
+    init_policy_input_builder();
+    OpaPolicyEngine = class {
+      evaluator = null;
+      fallback;
+      timeout;
+      config;
+      inputBuilder = null;
+      logger = null;
+      constructor(config) {
+        this.config = config;
+        this.fallback = config.fallback || "deny";
+        this.timeout = config.timeout || 5e3;
+      }
+      async initialize(config) {
+        try {
+          this.logger = (init_logger(), __toCommonJS(logger_exports)).logger;
+        } catch {
+        }
+        const actor = {
+          authorAssociation: process.env.VISOR_AUTHOR_ASSOCIATION,
+          login: process.env.VISOR_AUTHOR_LOGIN || process.env.GITHUB_ACTOR,
+          isLocalMode: !process.env.GITHUB_ACTIONS
+        };
+        const repo = {
+          owner: process.env.GITHUB_REPOSITORY_OWNER,
+          name: process.env.GITHUB_REPOSITORY?.split("/")[1],
+          branch: process.env.GITHUB_HEAD_REF,
+          baseBranch: process.env.GITHUB_BASE_REF,
+          event: process.env.GITHUB_EVENT_NAME
+        };
+        const prNum = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER, 10) : void 0;
+        const pullRequest = {
+          number: prNum !== void 0 && Number.isFinite(prNum) ? prNum : void 0
+        };
+        this.inputBuilder = new PolicyInputBuilder(config, actor, repo, pullRequest);
+        if (config.engine === "local") {
+          if (!config.rules) {
+            throw new Error("OPA local mode requires `policy.rules` path to .wasm or .rego files");
+          }
+          const wasm = new OpaWasmEvaluator();
+          await wasm.initialize(config.rules);
+          if (config.data) {
+            wasm.loadData(config.data);
+          }
+          this.evaluator = wasm;
+        } else if (config.engine === "remote") {
+          if (!config.url) {
+            throw new Error("OPA remote mode requires `policy.url` pointing to OPA server");
+          }
+          this.evaluator = new OpaHttpEvaluator(config.url, this.timeout);
+        } else {
+          this.evaluator = null;
+        }
+      }
+      /**
+       * Update actor/repo/PR context (e.g., after PR info becomes available).
+       * Called by the enterprise loader when engine context is enriched.
+       */
+      setActorContext(actor, repo, pullRequest) {
+        this.inputBuilder = new PolicyInputBuilder(this.config, actor, repo, pullRequest);
+      }
+      async evaluateCheckExecution(checkId, checkConfig) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const cfg = checkConfig && typeof checkConfig === "object" ? checkConfig : {};
+        const policyOverride = cfg.policy;
+        const input = this.inputBuilder.forCheckExecution({
+          id: checkId,
+          type: cfg.type || "ai",
+          group: cfg.group,
+          tags: cfg.tags,
+          criticality: cfg.criticality,
+          sandbox: cfg.sandbox,
+          policy: policyOverride
+        });
+        return this.doEvaluate(input, this.resolveRulePath("check.execute", policyOverride?.rule));
+      }
+      async evaluateToolInvocation(serverName, methodName, transport) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forToolInvocation(serverName, methodName, transport);
+        return this.doEvaluate(input, "visor/tool/invoke");
+      }
+      async evaluateCapabilities(checkId, capabilities) {
+        if (!this.evaluator || !this.inputBuilder) return { allowed: true };
+        const input = this.inputBuilder.forCapabilityResolve(checkId, capabilities);
+        return this.doEvaluate(input, "visor/capability/resolve");
+      }
+      async shutdown() {
+        if (this.evaluator && "shutdown" in this.evaluator) {
+          await this.evaluator.shutdown();
+        }
+        this.evaluator = null;
+        this.inputBuilder = null;
+      }
+      resolveRulePath(defaultScope, override) {
+        if (override) {
+          return override.startsWith("visor/") ? override : `visor/${override}`;
+        }
+        return `visor/${defaultScope.replace(/\./g, "/")}`;
+      }
+      async doEvaluate(input, rulePath) {
+        try {
+          this.logger?.debug(`[PolicyEngine] Evaluating ${rulePath}`, JSON.stringify(input));
+          let timer;
+          const timeoutPromise = new Promise((_resolve, reject) => {
+            timer = setTimeout(() => reject(new Error("policy evaluation timeout")), this.timeout);
+          });
+          try {
+            const result = await Promise.race([this.rawEvaluate(input, rulePath), timeoutPromise]);
+            const decision = this.parseDecision(result);
+            if (!decision.allowed && this.fallback === "warn") {
+              decision.allowed = true;
+              decision.warn = true;
+              decision.reason = `audit: ${decision.reason || "policy denied"}`;
+            }
+            this.logger?.debug(
+              `[PolicyEngine] Decision for ${rulePath}: allowed=${decision.allowed}, warn=${decision.warn || false}, reason=${decision.reason || "none"}`
+            );
+            return decision;
+          } finally {
+            if (timer) clearTimeout(timer);
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          this.logger?.warn(`[PolicyEngine] Evaluation failed for ${rulePath}: ${msg}`);
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: `policy evaluation failed, fallback=${this.fallback}`
+          };
+        }
+      }
+      async rawEvaluate(input, rulePath) {
+        if (this.evaluator instanceof OpaWasmEvaluator) {
+          const result = await this.evaluator.evaluate(input);
+          return this.navigateWasmResult(result, rulePath);
+        }
+        return this.evaluator.evaluate(input, rulePath);
+      }
+      /**
+       * Navigate nested OPA WASM result tree to reach the specific rule's output.
+       * The WASM entrypoint `-e visor` means the result root IS the visor package,
+       * so we strip the `visor/` prefix and walk the remaining segments.
+       */
+      navigateWasmResult(result, rulePath) {
+        if (!result || typeof result !== "object") return result;
+        const segments = rulePath.replace(/^visor\//, "").split("/");
+        let current = result;
+        for (const seg of segments) {
+          if (current && typeof current === "object" && seg in current) {
+            current = current[seg];
+          } else {
+            return void 0;
+          }
+        }
+        return current;
+      }
+      parseDecision(result) {
+        if (result === void 0 || result === null) {
+          return {
+            allowed: this.fallback === "allow" || this.fallback === "warn",
+            warn: this.fallback === "warn" ? true : void 0,
+            reason: this.fallback === "warn" ? "audit: no policy result" : "no policy result"
+          };
+        }
+        const allowed = result.allowed !== false;
+        const decision = {
+          allowed,
+          reason: result.reason
+        };
+        if (result.capabilities) {
+          decision.capabilities = result.capabilities;
+        }
+        return decision;
+      }
+    };
+  }
+});
+
+// src/enterprise/scheduler/knex-store.ts
+var knex_store_exports = {};
+__export(knex_store_exports, {
+  KnexStoreBackend: () => KnexStoreBackend
+});
+function toNum(val) {
+  if (val === null || val === void 0) return void 0;
+  return typeof val === "string" ? parseInt(val, 10) : val;
+}
+function safeJsonParse2(value) {
+  if (!value) return void 0;
+  try {
+    return JSON.parse(value);
+  } catch {
+    return void 0;
+  }
+}
+function fromTriggerRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    description: row.description ?? void 0,
+    channels: safeJsonParse2(row.channels),
+    fromUsers: safeJsonParse2(row.from_users),
+    fromBots: row.from_bots === true || row.from_bots === 1,
+    contains: safeJsonParse2(row.contains),
+    matchPattern: row.match_pattern ?? void 0,
+    threads: row.threads,
+    workflow: row.workflow,
+    inputs: safeJsonParse2(row.inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    enabled: row.enabled === true || row.enabled === 1,
+    createdAt: toNum(row.created_at)
+  };
+}
+function toTriggerInsertRow(trigger) {
+  return {
+    id: trigger.id,
+    creator_id: trigger.creatorId,
+    creator_context: trigger.creatorContext ?? null,
+    creator_name: trigger.creatorName ?? null,
+    description: trigger.description ?? null,
+    channels: trigger.channels ? JSON.stringify(trigger.channels) : null,
+    from_users: trigger.fromUsers ? JSON.stringify(trigger.fromUsers) : null,
+    from_bots: trigger.fromBots,
+    contains: trigger.contains ? JSON.stringify(trigger.contains) : null,
+    match_pattern: trigger.matchPattern ?? null,
+    threads: trigger.threads,
+    workflow: trigger.workflow,
+    inputs: trigger.inputs ? JSON.stringify(trigger.inputs) : null,
+    output_context: trigger.outputContext ? JSON.stringify(trigger.outputContext) : null,
+    status: trigger.status,
+    enabled: trigger.enabled,
+    created_at: trigger.createdAt
+  };
+}
+function fromDbRow2(row) {
+  return {
+    id: row.id,
+    creatorId: row.creator_id,
+    creatorContext: row.creator_context ?? void 0,
+    creatorName: row.creator_name ?? void 0,
+    timezone: row.timezone,
+    schedule: row.schedule_expr,
+    runAt: toNum(row.run_at),
+    isRecurring: row.is_recurring === true || row.is_recurring === 1,
+    originalExpression: row.original_expression,
+    workflow: row.workflow ?? void 0,
+    workflowInputs: safeJsonParse2(row.workflow_inputs),
+    outputContext: safeJsonParse2(row.output_context),
+    status: row.status,
+    createdAt: toNum(row.created_at),
+    lastRunAt: toNum(row.last_run_at),
+    nextRunAt: toNum(row.next_run_at),
+    runCount: row.run_count,
+    failureCount: row.failure_count,
+    lastError: row.last_error ?? void 0,
+    previousResponse: row.previous_response ?? void 0
+  };
+}
+function toInsertRow(schedule) {
+  return {
+    id: schedule.id,
+    creator_id: schedule.creatorId,
+    creator_context: schedule.creatorContext ?? null,
+    creator_name: schedule.creatorName ?? null,
+    timezone: schedule.timezone,
+    schedule_expr: schedule.schedule,
+    run_at: schedule.runAt ?? null,
+    is_recurring: schedule.isRecurring,
+    original_expression: schedule.originalExpression,
+    workflow: schedule.workflow ?? null,
+    workflow_inputs: schedule.workflowInputs ? JSON.stringify(schedule.workflowInputs) : null,
+    output_context: schedule.outputContext ? JSON.stringify(schedule.outputContext) : null,
+    status: schedule.status,
+    created_at: schedule.createdAt,
+    last_run_at: schedule.lastRunAt ?? null,
+    next_run_at: schedule.nextRunAt ?? null,
+    run_count: schedule.runCount,
+    failure_count: schedule.failureCount,
+    last_error: schedule.lastError ?? null,
+    previous_response: schedule.previousResponse ?? null
+  };
+}
+var fs24, path29, import_uuid2, KnexStoreBackend;
+var init_knex_store = __esm({
+  "src/enterprise/scheduler/knex-store.ts"() {
+    "use strict";
+    fs24 = __toESM(require("fs"));
+    path29 = __toESM(require("path"));
+    import_uuid2 = require("uuid");
+    init_logger();
+    KnexStoreBackend = class {
+      knex = null;
+      driver;
+      connection;
+      constructor(driver, storageConfig, _haConfig) {
+        this.driver = driver;
+        this.connection = storageConfig.connection || {};
+      }
+      async initialize() {
+        const { createRequire } = require("module");
+        const runtimeRequire = createRequire(__filename);
+        let knexFactory;
+        try {
+          knexFactory = runtimeRequire("knex");
+        } catch (err) {
+          const code = err?.code;
+          if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") {
+            throw new Error(
+              "knex is required for PostgreSQL/MySQL/MSSQL schedule storage. Install it with: npm install knex"
+            );
+          }
+          throw err;
+        }
+        const clientMap = {
+          postgresql: "pg",
+          mysql: "mysql2",
+          mssql: "tedious"
+        };
+        const client = clientMap[this.driver];
+        let connection;
+        if (this.connection.connection_string) {
+          connection = this.connection.connection_string;
+        } else if (this.driver === "mssql") {
+          connection = this.buildMssqlConnection();
+        } else {
+          connection = this.buildStandardConnection();
+        }
+        this.knex = knexFactory({
+          client,
+          connection,
+          pool: {
+            min: this.connection.pool?.min ?? 0,
+            max: this.connection.pool?.max ?? 10
+          }
+        });
+        await this.migrateSchema();
+        logger.info(`[KnexStore] Initialized (${this.driver})`);
+      }
+      buildStandardConnection() {
+        return {
+          host: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          ssl: this.resolveSslConfig()
+        };
+      }
+      buildMssqlConnection() {
+        const ssl = this.connection.ssl;
+        const sslEnabled = ssl === true || typeof ssl === "object" && ssl.enabled !== false;
+        return {
+          server: this.connection.host || "localhost",
+          port: this.connection.port,
+          database: this.connection.database || "visor",
+          user: this.connection.user,
+          password: this.connection.password,
+          options: {
+            encrypt: sslEnabled,
+            trustServerCertificate: typeof ssl === "object" ? ssl.reject_unauthorized === false : !sslEnabled
+          }
+        };
+      }
+      resolveSslConfig() {
+        const ssl = this.connection.ssl;
+        if (ssl === false || ssl === void 0) return false;
+        if (ssl === true) return { rejectUnauthorized: true };
+        if (ssl.enabled === false) return false;
+        const result = {
+          rejectUnauthorized: ssl.reject_unauthorized !== false
+        };
+        if (ssl.ca) {
+          const caPath = this.validateSslPath(ssl.ca, "CA certificate");
+          result.ca = fs24.readFileSync(caPath, "utf8");
+        }
+        if (ssl.cert) {
+          const certPath = this.validateSslPath(ssl.cert, "client certificate");
+          result.cert = fs24.readFileSync(certPath, "utf8");
+        }
+        if (ssl.key) {
+          const keyPath = this.validateSslPath(ssl.key, "client key");
+          result.key = fs24.readFileSync(keyPath, "utf8");
+        }
+        return result;
+      }
+      validateSslPath(filePath, label) {
+        const resolved = path29.resolve(filePath);
+        if (resolved !== path29.normalize(resolved)) {
+          throw new Error(`SSL ${label} path contains invalid sequences: ${filePath}`);
+        }
+        if (!fs24.existsSync(resolved)) {
+          throw new Error(`SSL ${label} not found: ${filePath}`);
+        }
+        return resolved;
+      }
+      async shutdown() {
+        if (this.knex) {
+          await this.knex.destroy();
+          this.knex = null;
+        }
+      }
+      async migrateSchema() {
+        const knex = this.getKnex();
+        const exists = await knex.schema.hasTable("schedules");
+        if (!exists) {
+          await knex.schema.createTable("schedules", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.string("timezone", 64).notNullable().defaultTo("UTC");
+            table.string("schedule_expr", 255);
+            table.bigInteger("run_at");
+            table.boolean("is_recurring").notNullable();
+            table.text("original_expression");
+            table.string("workflow", 255);
+            table.text("workflow_inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().index();
+            table.bigInteger("created_at").notNullable();
+            table.bigInteger("last_run_at");
+            table.bigInteger("next_run_at");
+            table.integer("run_count").notNullable().defaultTo(0);
+            table.integer("failure_count").notNullable().defaultTo(0);
+            table.text("last_error");
+            table.text("previous_response");
+            table.index(["status", "next_run_at"]);
+          });
+        }
+        const triggersExist = await knex.schema.hasTable("message_triggers");
+        if (!triggersExist) {
+          await knex.schema.createTable("message_triggers", (table) => {
+            table.string("id", 36).primary();
+            table.string("creator_id", 255).notNullable().index();
+            table.string("creator_context", 255);
+            table.string("creator_name", 255);
+            table.text("description");
+            table.text("channels");
+            table.text("from_users");
+            table.boolean("from_bots").notNullable().defaultTo(false);
+            table.text("contains");
+            table.text("match_pattern");
+            table.string("threads", 20).notNullable().defaultTo("any");
+            table.string("workflow", 255).notNullable();
+            table.text("inputs");
+            table.text("output_context");
+            table.string("status", 20).notNullable().defaultTo("active").index();
+            table.boolean("enabled").notNullable().defaultTo(true);
+            table.bigInteger("created_at").notNullable();
+          });
+        }
+        const locksExist = await knex.schema.hasTable("scheduler_locks");
+        if (!locksExist) {
+          await knex.schema.createTable("scheduler_locks", (table) => {
+            table.string("lock_id", 255).primary();
+            table.string("node_id", 255).notNullable();
+            table.string("lock_token", 36).notNullable();
+            table.bigInteger("acquired_at").notNullable();
+            table.bigInteger("expires_at").notNullable();
+          });
+        }
+      }
+      getKnex() {
+        if (!this.knex) {
+          throw new Error("[KnexStore] Not initialized. Call initialize() first.");
+        }
+        return this.knex;
+      }
+      // --- CRUD ---
+      async create(schedule) {
+        const knex = this.getKnex();
+        const newSchedule = {
+          ...schedule,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now(),
+          runCount: 0,
+          failureCount: 0,
+          status: "active"
+        };
+        await knex("schedules").insert(toInsertRow(newSchedule));
+        logger.info(`[KnexStore] Created schedule ${newSchedule.id} for user ${newSchedule.creatorId}`);
+        return newSchedule;
+      }
+      async importSchedule(schedule) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", schedule.id).first();
+        if (existing) return;
+        await knex("schedules").insert(toInsertRow(schedule));
+      }
+      async get(id) {
+        const knex = this.getKnex();
+        const row = await knex("schedules").where("id", id).first();
+        return row ? fromDbRow2(row) : void 0;
+      }
+      async update(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("schedules").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromDbRow2(existing);
+        const updated = { ...current, ...patch, id: current.id };
+        const row = toInsertRow(updated);
+        delete row.id;
+        await knex("schedules").where("id", id).update(row);
+        return updated;
+      }
+      async delete(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("schedules").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted schedule ${id}`);
+          return true;
+        }
+        return false;
+      }
+      // --- Queries ---
+      async getByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("creator_id", creatorId);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getActiveSchedules() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules").where("status", "active");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getDueSchedules(now) {
+        const ts = now ?? Date.now();
+        const knex = this.getKnex();
+        const bFalse = this.driver === "mssql" ? 0 : false;
+        const bTrue = this.driver === "mssql" ? 1 : true;
+        const rows = await knex("schedules").where("status", "active").andWhere(function() {
+          this.where(function() {
+            this.where("is_recurring", bFalse).whereNotNull("run_at").where("run_at", "<=", ts);
+          }).orWhere(function() {
+            this.where("is_recurring", bTrue).whereNotNull("next_run_at").where("next_run_at", "<=", ts);
+          });
+        });
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async findByWorkflow(creatorId, workflowName) {
+        const knex = this.getKnex();
+        const escaped = workflowName.toLowerCase().replace(/[%_\\]/g, "\\$&");
+        const pattern = `%${escaped}%`;
+        const rows = await knex("schedules").where("creator_id", creatorId).where("status", "active").whereRaw("LOWER(workflow) LIKE ? ESCAPE '\\'", [pattern]);
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getAll() {
+        const knex = this.getKnex();
+        const rows = await knex("schedules");
+        return rows.map((r) => fromDbRow2(r));
+      }
+      async getStats() {
+        const knex = this.getKnex();
+        const boolTrue = this.driver === "mssql" ? "1" : "true";
+        const boolFalse = this.driver === "mssql" ? "0" : "false";
+        const result = await knex("schedules").select(
+          knex.raw("COUNT(*) as total"),
+          knex.raw("SUM(CASE WHEN status = 'active' THEN 1 ELSE 0 END) as active"),
+          knex.raw("SUM(CASE WHEN status = 'paused' THEN 1 ELSE 0 END) as paused"),
+          knex.raw("SUM(CASE WHEN status = 'completed' THEN 1 ELSE 0 END) as completed"),
+          knex.raw("SUM(CASE WHEN status = 'failed' THEN 1 ELSE 0 END) as failed"),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolTrue} THEN 1 ELSE 0 END) as recurring`),
+          knex.raw(`SUM(CASE WHEN is_recurring = ${boolFalse} THEN 1 ELSE 0 END) as one_time`)
+        ).first();
+        return {
+          total: Number(result.total) || 0,
+          active: Number(result.active) || 0,
+          paused: Number(result.paused) || 0,
+          completed: Number(result.completed) || 0,
+          failed: Number(result.failed) || 0,
+          recurring: Number(result.recurring) || 0,
+          oneTime: Number(result.one_time) || 0
+        };
+      }
+      async validateLimits(creatorId, isRecurring, limits) {
+        const knex = this.getKnex();
+        if (limits.maxGlobal) {
+          const result = await knex("schedules").count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxGlobal) {
+            throw new Error(`Global schedule limit reached (${limits.maxGlobal})`);
+          }
+        }
+        if (limits.maxPerUser) {
+          const result = await knex("schedules").where("creator_id", creatorId).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxPerUser) {
+            throw new Error(`You have reached the maximum number of schedules (${limits.maxPerUser})`);
+          }
+        }
+        if (isRecurring && limits.maxRecurringPerUser) {
+          const bTrue = this.driver === "mssql" ? 1 : true;
+          const result = await knex("schedules").where("creator_id", creatorId).where("is_recurring", bTrue).count("* as cnt").first();
+          if (Number(result?.cnt) >= limits.maxRecurringPerUser) {
+            throw new Error(
+              `You have reached the maximum number of recurring schedules (${limits.maxRecurringPerUser})`
+            );
+          }
+        }
+      }
+      // --- HA Distributed Locking (via scheduler_locks table) ---
+      async tryAcquireLock(lockId, nodeId, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const token = (0, import_uuid2.v4)();
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("expires_at", "<", now).update({
+          node_id: nodeId,
+          lock_token: token,
+          acquired_at: now,
+          expires_at: expiresAt
+        });
+        if (updated > 0) return token;
+        try {
+          await knex("scheduler_locks").insert({
+            lock_id: lockId,
+            node_id: nodeId,
+            lock_token: token,
+            acquired_at: now,
+            expires_at: expiresAt
+          });
+          return token;
+        } catch {
+          return null;
+        }
+      }
+      async releaseLock(lockId, lockToken) {
+        const knex = this.getKnex();
+        await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).del();
+      }
+      async renewLock(lockId, lockToken, ttlSeconds) {
+        const knex = this.getKnex();
+        const now = Date.now();
+        const expiresAt = now + ttlSeconds * 1e3;
+        const updated = await knex("scheduler_locks").where("lock_id", lockId).where("lock_token", lockToken).update({ acquired_at: now, expires_at: expiresAt });
+        return updated > 0;
+      }
+      async flush() {
+      }
+      // --- Message Trigger CRUD ---
+      async createTrigger(trigger) {
+        const knex = this.getKnex();
+        const newTrigger = {
+          ...trigger,
+          id: (0, import_uuid2.v4)(),
+          createdAt: Date.now()
+        };
+        await knex("message_triggers").insert(toTriggerInsertRow(newTrigger));
+        logger.info(`[KnexStore] Created trigger ${newTrigger.id} for user ${newTrigger.creatorId}`);
+        return newTrigger;
+      }
+      async getTrigger(id) {
+        const knex = this.getKnex();
+        const row = await knex("message_triggers").where("id", id).first();
+        return row ? fromTriggerRow2(row) : void 0;
+      }
+      async updateTrigger(id, patch) {
+        const knex = this.getKnex();
+        const existing = await knex("message_triggers").where("id", id).first();
+        if (!existing) return void 0;
+        const current = fromTriggerRow2(existing);
+        const updated = {
+          ...current,
+          ...patch,
+          id: current.id,
+          createdAt: current.createdAt
+        };
+        const row = toTriggerInsertRow(updated);
+        delete row.id;
+        await knex("message_triggers").where("id", id).update(row);
+        return updated;
+      }
+      async deleteTrigger(id) {
+        const knex = this.getKnex();
+        const deleted = await knex("message_triggers").where("id", id).del();
+        if (deleted > 0) {
+          logger.info(`[KnexStore] Deleted trigger ${id}`);
+          return true;
+        }
+        return false;
+      }
+      async getTriggersByCreator(creatorId) {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("creator_id", creatorId);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+      async getActiveTriggers() {
+        const knex = this.getKnex();
+        const rows = await knex("message_triggers").where("status", "active").where("enabled", this.driver === "mssql" ? 1 : true);
+        return rows.map((r) => fromTriggerRow2(r));
+      }
+    };
+  }
+});
+
+// src/enterprise/loader.ts
+var loader_exports = {};
+__export(loader_exports, {
+  loadEnterprisePolicyEngine: () => loadEnterprisePolicyEngine,
+  loadEnterpriseStoreBackend: () => loadEnterpriseStoreBackend
+});
+async function loadEnterprisePolicyEngine(config) {
+  try {
+    const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+    const validator = new LicenseValidator2();
+    const license = await validator.loadAndValidate();
+    if (!license || !validator.hasFeature("policy")) {
+      return new DefaultPolicyEngine();
+    }
+    if (validator.isInGracePeriod()) {
+      console.warn(
+        "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+      );
+    }
+    const { OpaPolicyEngine: OpaPolicyEngine2 } = await Promise.resolve().then(() => (init_opa_policy_engine(), opa_policy_engine_exports));
+    const engine = new OpaPolicyEngine2(config);
+    await engine.initialize(config);
+    return engine;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    try {
+      const { logger: logger2 } = (init_logger(), __toCommonJS(logger_exports));
+      logger2.warn(`[PolicyEngine] Enterprise policy init failed, falling back to default: ${msg}`);
+    } catch {
+    }
+    return new DefaultPolicyEngine();
+  }
+}
+async function loadEnterpriseStoreBackend(driver, storageConfig, haConfig) {
+  const { LicenseValidator: LicenseValidator2 } = await Promise.resolve().then(() => (init_validator(), validator_exports));
+  const validator = new LicenseValidator2();
+  const license = await validator.loadAndValidate();
+  if (!license || !validator.hasFeature("scheduler-sql")) {
+    throw new Error(
+      `The ${driver} schedule storage driver requires a Visor Enterprise license with the 'scheduler-sql' feature. Please upgrade or use driver: 'sqlite' (default).`
+    );
+  }
+  if (validator.isInGracePeriod()) {
+    console.warn(
+      "[visor:enterprise] License has expired but is within the 72-hour grace period. Please renew your license."
+    );
+  }
+  const { KnexStoreBackend: KnexStoreBackend2 } = await Promise.resolve().then(() => (init_knex_store(), knex_store_exports));
+  return new KnexStoreBackend2(driver, storageConfig, haConfig);
+}
+var init_loader = __esm({
+  "src/enterprise/loader.ts"() {
+    "use strict";
+    init_default_engine();
+  }
+});
+
 // src/event-bus/event-bus.ts
 var event_bus_exports = {};
 __export(event_bus_exports, {
@@ -57601,8 +59251,8 @@ ${content}
        * Sleep utility
        */
       sleep(ms) {
-        return new Promise((resolve15) => {
-          const t = setTimeout(resolve15, ms);
+        return new Promise((resolve19) => {
+          const t = setTimeout(resolve19, ms);
           if (typeof t.unref === "function") {
             try {
               t.unref();
@@ -57887,8 +59537,8 @@ ${end}`);
       async updateGroupedComment(ctx, comments, group, changedIds) {
         const existingLock = this.updateLocks.get(group);
         let resolveLock;
-        const ourLock = new Promise((resolve15) => {
-          resolveLock = resolve15;
+        const ourLock = new Promise((resolve19) => {
+          resolveLock = resolve19;
         });
         this.updateLocks.set(group, ourLock);
         try {
@@ -58219,7 +59869,7 @@ ${blocks}
        * Sleep utility for enforcing delays
        */
       sleep(ms) {
-        return new Promise((resolve15) => setTimeout(resolve15, ms));
+        return new Promise((resolve19) => setTimeout(resolve19, ms));
       }
     };
   }
@@ -60066,11 +61716,11 @@ var require_request3 = __commonJS({
     "use strict";
     var __awaiter = exports2 && exports2.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve15) {
-          resolve15(value);
+        return value instanceof P ? value : new P(function(resolve19) {
+          resolve19(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve15, reject) {
+      return new (P || (P = Promise))(function(resolve19, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -60086,7 +61736,7 @@ var require_request3 = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve15(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve19(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -60110,9 +61760,9 @@ var require_request3 = __commonJS({
       HttpMethod2["PATCH"] = "PATCH";
     })(HttpMethod = exports2.HttpMethod || (exports2.HttpMethod = {}));
     var SvixRequest = class {
-      constructor(method, path29) {
+      constructor(method, path33) {
         this.method = method;
-        this.path = path29;
+        this.path = path33;
         this.queryParams = {};
         this.headerParams = {};
       }
@@ -60215,7 +61865,7 @@ var require_request3 = __commonJS({
     }
     function sendWithRetry(url, init, retryScheduleInMs, nextInterval = 50, triesLeft = 2, fetchImpl = fetch, retryCount = 1) {
       return __awaiter(this, void 0, void 0, function* () {
-        const sleep = (interval) => new Promise((resolve15) => setTimeout(resolve15, interval));
+        const sleep = (interval) => new Promise((resolve19) => setTimeout(resolve19, interval));
         try {
           const response = yield fetchImpl(url, init);
           if (triesLeft <= 0 || response.status < 500) {
@@ -69289,7 +70939,7 @@ ${message}`;
 });
 
 // src/agent-protocol/task-store.ts
-function safeJsonParse2(value) {
+function safeJsonParse3(value) {
   if (!value) return void 0;
   try {
     return JSON.parse(value);
@@ -69306,12 +70956,12 @@ function taskRowToAgentTask(row) {
     context_id: row.context_id,
     status: {
       state: row.state,
-      message: safeJsonParse2(row.status_message),
+      message: safeJsonParse3(row.status_message),
       timestamp: row.updated_at
     },
-    artifacts: safeJsonParse2(row.artifacts) ?? [],
-    history: safeJsonParse2(row.history) ?? [],
-    metadata: safeJsonParse2(row.request_metadata),
+    artifacts: safeJsonParse3(row.artifacts) ?? [],
+    history: safeJsonParse3(row.history) ?? [],
+    metadata: safeJsonParse3(row.request_metadata),
     workflow_id: row.workflow_id ?? void 0
   };
 }
@@ -69548,7 +71198,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT artifacts FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const artifacts = safeJsonParse2(row.artifacts) ?? [];
+        const artifacts = safeJsonParse3(row.artifacts) ?? [];
         artifacts.push(artifact);
         db.prepare("UPDATE agent_tasks SET artifacts = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(artifacts),
@@ -69560,7 +71210,7 @@ var init_task_store = __esm({
         const db = this.getDb();
         const row = db.prepare("SELECT history FROM agent_tasks WHERE id = ?").get(taskId);
         if (!row) throw new TaskNotFoundError(taskId);
-        const history = safeJsonParse2(row.history) ?? [];
+        const history = safeJsonParse3(row.history) ?? [];
         history.push(message);
         db.prepare("UPDATE agent_tasks SET history = ?, updated_at = ? WHERE id = ?").run(
           JSON.stringify(history),
@@ -70072,13 +71722,13 @@ __export(a2a_frontend_exports, {
   resultToArtifacts: () => resultToArtifacts
 });
 function readJsonBody(req) {
-  return new Promise((resolve15, reject) => {
+  return new Promise((resolve19, reject) => {
     const chunks = [];
     req.on("data", (chunk) => chunks.push(chunk));
     req.on("end", () => {
       try {
         const body = Buffer.concat(chunks).toString("utf8");
-        resolve15(body ? JSON.parse(body) : {});
+        resolve19(body ? JSON.parse(body) : {});
       } catch {
         reject(new ParseError("Malformed JSON body"));
       }
@@ -70321,12 +71971,12 @@ var init_a2a_frontend = __esm({
         }
         const port = this.config.port ?? 9e3;
         const host = this.config.host ?? "0.0.0.0";
-        await new Promise((resolve15) => {
+        await new Promise((resolve19) => {
           this.server.listen(port, host, () => {
             const addr = this.server.address();
             this._boundPort = typeof addr === "object" && addr ? addr.port : port;
             logger.info(`A2A server listening on ${host}:${this._boundPort}`);
-            resolve15();
+            resolve19();
           });
         });
         if (this.agentCard) {
@@ -70350,8 +72000,8 @@ var init_a2a_frontend = __esm({
         }
         this.streamManager.shutdown();
         if (this.server) {
-          await new Promise((resolve15, reject) => {
-            this.server.close((err) => err ? reject(err) : resolve15());
+          await new Promise((resolve19, reject) => {
+            this.server.close((err) => err ? reject(err) : resolve19());
           });
           this.server = null;
         }
@@ -71068,15 +72718,15 @@ function serializeRunState(state) {
     ])
   };
 }
-var path28, fs24, StateMachineExecutionEngine;
+var path32, fs28, StateMachineExecutionEngine;
 var init_state_machine_execution_engine = __esm({
   "src/state-machine-execution-engine.ts"() {
     "use strict";
     init_runner();
     init_logger();
     init_sandbox_manager();
-    path28 = __toESM(require("path"));
-    fs24 = __toESM(require("fs"));
+    path32 = __toESM(require("path"));
+    fs28 = __toESM(require("fs"));
     StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       workingDirectory;
       executionContext;
@@ -71308,8 +72958,8 @@ var init_state_machine_execution_engine = __esm({
             logger.debug(
               `[PolicyEngine] Loading enterprise policy engine (engine=${configWithTagFilter.policy.engine})`
             );
-            const { loadEnterprisePolicyEngine } = await import("./enterprise/loader");
-            context2.policyEngine = await loadEnterprisePolicyEngine(configWithTagFilter.policy);
+            const { loadEnterprisePolicyEngine: loadEnterprisePolicyEngine2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
+            context2.policyEngine = await loadEnterprisePolicyEngine2(configWithTagFilter.policy);
             logger.debug(
               `[PolicyEngine] Initialized: ${context2.policyEngine?.constructor?.name || "unknown"}`
             );
@@ -71463,9 +73113,9 @@ var init_state_machine_execution_engine = __esm({
                   }
                   const checkId = String(ev?.checkId || "unknown");
                   const threadKey = ev?.threadKey || (channel && threadTs ? `${channel}:${threadTs}` : "session");
-                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path28.resolve(process.cwd(), ".visor", "snapshots");
-                  fs24.mkdirSync(baseDir, { recursive: true });
-                  const filePath = path28.join(baseDir, `${threadKey}-${checkId}.json`);
+                  const baseDir = process.env.VISOR_SNAPSHOT_DIR || path32.resolve(process.cwd(), ".visor", "snapshots");
+                  fs28.mkdirSync(baseDir, { recursive: true });
+                  const filePath = path32.join(baseDir, `${threadKey}-${checkId}.json`);
                   await this.saveSnapshotToFile(filePath);
                   logger.info(`[Snapshot] Saved run snapshot: ${filePath}`);
                   try {
@@ -71606,7 +73256,7 @@ var init_state_machine_execution_engine = __esm({
        * Does not include secrets. Intended for debugging and future resume support.
        */
       async saveSnapshotToFile(filePath) {
-        const fs25 = await import("fs/promises");
+        const fs29 = await import("fs/promises");
         const ctx = this._lastContext;
         const runner = this._lastRunner;
         if (!ctx || !runner) {
@@ -71626,14 +73276,14 @@ var init_state_machine_execution_engine = __esm({
           journal: entries,
           requestedChecks: ctx.requestedChecks || []
         };
-        await fs25.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
+        await fs29.writeFile(filePath, JSON.stringify(payload, null, 2), "utf8");
       }
       /**
        * Load a snapshot JSON from file and return it. Resume support can build on this.
        */
       async loadSnapshotFromFile(filePath) {
-        const fs25 = await import("fs/promises");
-        const raw = await fs25.readFile(filePath, "utf8");
+        const fs29 = await import("fs/promises");
+        const raw = await fs29.readFile(filePath, "utf8");
         return JSON.parse(raw);
       }
       /**